[OpenAFS-port-darwin] How to set encryption by default on OS X

Arthur Prokosch arthurp@csail.mit.edu
Wed, 21 Mar 2012 16:25:08 -0400 

--JYK4vJDZwFMowpUq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Tue, Mar 06, 2012 at 04:49:52PM -0500, Jeffrey Altman wrote:
> The patch I would support is one to the installer that provides crypt as
> a default on option.
> 
> I'm not prepared to modify the core code default until OpenAFS 2.0.
> fcrypt is both not very secure and very expensive to compute when
> compared to AES-256/SHA-1 used in rxgk.

I'd like to propose the attached patch.  Any comments before I start
navigating repository paths and installer build sequences?

In case it's stripped, it's also at
/afs/csail.mit.edu/u/a/arthurp/public/afs.conf.diff

thanks,
-arthur prokosch.

--JYK4vJDZwFMowpUq
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="afs.conf.diff"

--- /var/db/openafs/etc/config/afs.conf.orig	2012-03-13 13:36:34.000000000 -0400
+++ /var/db/openafs/etc/config/afs.conf	2012-03-21 15:48:10.000000000 -0400
@@ -68,16 +68,25 @@
 # attempt to resolve @sys to each directory name in the order given.
 AFS_SYSNAME=""
 
+
+# Until core code is modified to make encrypted data transfer the default,
+# turn on FCrypt encryption at every startup.
+afs_crypt() {
+    fs setcrypt on
+}
+
 # If you want to prefer particular servers for replicated volumes, you can
 # configure that by defining an afs_server_prefs function here and then
 # uncommenting the setting of AFS_POST_INIT below.  For more information, see
 # fs help setserverprefs and fs getserverprefs (for the current values).
 
 #afs_server_prefs() {
+#    afs_crypt
 #    fs setserverprefs <host> <rank>
 #}
 
 #afs_mariner() {
+#    afs_crypt
 #    fs mariner localhost
 #}
 
@@ -89,7 +98,7 @@
 # or ; or similar shell meta-characters.  If you want to run multiple
 # commands, define a shell function instead and put the name of the shell
 # function here.
-AFS_POST_INIT=
+AFS_POST_INIT=afs_crypt
 
 # Uncomment this line if you defined an afs_server_prefs function.  (If you
 # have other commands that you also want to run, you'll have to put them in

--JYK4vJDZwFMowpUq--