fs_setcrypt(1) [debian man page]
FS_SETCRYPT(1) AFS Command Reference FS_SETCRYPT(1) NAME
fs_setcrypt - Enables of disables the encryption of AFS file transfers SYNOPSIS
fs setcrypt [-crypt] <on/off> [-help] DESCRIPTION
The fs setcrypt command sets the status of network traffic encryption for file traffic in the AFS client. This encryption applies to file traffic going to and coming from the AFS File Server for users with valid tokens. This command does not control the encryption used for authentication, which uses Kerberos 5 or klog/kaserver. The complement of this command is fs getcrypt, which shows the status of encryption on the client. The default encryption status is enabled. This is a global setting and applies to all subsequent connections to an AFS File Server from this Cache Manager. There is no way to enable or disable encryption for specific connections. CAUTIONS
AFS uses an encryption scheme called fcrypt, based on but slightly weaker than DES, and there is currently no way to specify a different encryption mechanism. Because fcrypt and DES are obsolete, the user must decide how much to trust the encryption. Consider using a Virtual Private Network at the IP level if better encryption is needed. Encrypting file traffic requires a token. Unauthenticated connections or connections authorized via IP-based ACLs will not be encrypted even when encryption is turned on. OPTIONS
-crypt <on/off> This is the only option to fs setcrypt. The -crypt option takes either "on" or "off". "on" enables encryption. "off" disables encryption. Since this is the only option, the "-crypt" flag may be omitted. 0 and 1 or "true" and "false" are not supported as replacements for "on" and "off". -help Prints the online help for this command. All other valid options are ignored. OUTPUT
This command produces no output other than error messages. EXAMPLES
There are only four ways to invoke fs setcrypt. Either of: % fs setcrypt -crypt on % fs setcrypt on will enable encryption for authenticated connections and: % fs setcrypt -crypt off % fs setcrypt off will disable encryption. PRIVILEGE REQUIRED
The issuer must be logged in as the local superuser root. SEE ALSO
fs_getcrypt(1) The description of the fcrypt encryption mechanism at http://surfvi.com/~ota/fcrypt-paper.txt <http://surfvi.com/~ota/fcrypt-paper.txt>. COPYRIGHT
Copyright 2007 Jason Edgecombe <jason@rampaginggeek.com> This documentation is covered by the BSD License as written in the doc/LICENSE file. This man page was written by Jason Edgecombe for OpenAFS. OpenAFS 2012-03-26 FS_SETCRYPT(1)
Check Out this Related Man Page
UPSERVER(8) AFS Command Reference UPSERVER(8) NAME
upserver - Initializes the server portion of the Update Server SYNOPSIS
upserver [<directory>+] [-crypt <directory>+] [-clear <directory>+] [-auth <directory>+] [-help] DESCRIPTION
The upserver command initializes the server portion of the Update Server (the "upserver" process). In the conventional configuration, its binary file is located in the /usr/lib/openafs directory on a file server machine. The upserver command is not normally issued at the command shell prompt but rather placed into a file server machine's /etc/openafs/BosConfig file with the bos create command. If it is ever issued at the command shell prompt, the issuer must be logged onto a database server machine as the local superuser "root". The upserver command specifies which of the directories on the local disk are eligible for distribution in response to requests from the client portion of the Update Server (the upclient process) running on other machines. If no directories are specified, the upserver process distributes the contents of any directory on its local disk. The upserver process can distribute a directory's contents in encrypted or unencrypted form. By default, it does not use encryption unless an upclient process requests it (this default is equivalent to setting the -clear flag). When the -crypt flag is provided, the upserver process only fulfills requests for encrypted transfer. The upclient and upserver processes always mutually authenticate, whether or not the data they pass is encrypted; they use the key with the highest key version number in the /etc/openafs/server/KeyFile file to construct a server ticket for mutual authentication. This command does not use the syntax conventions of the AFS command suites. Provide the command name and all option names in full. CAUTIONS
Do not use the Update Server to distribute the contents of the /etc/openafs/server directory without the -crypt flag. The contents of this directory are sensitive. OPTIONS
<directory>+ Names each directory to distribute in unencrypted form (because they appear before the first -crypt or -clear flag on the command line). If this argument is omitted, all directories on the machine's local disk are eligible for distribution. -crypt <directory>+ Precedes a list of one or more directories that the upserver process distributes only in encrypted form. -clear <directory>+ Precedes a list of one or more directories that the upserver process distributes in unencrypted form unless the upclient process requests them in encrypted form. Use this argument only if a list of directories headed by the -crypt flag precedes it on the command line. -auth <directory>+ Precedes a list of one or more directories which the upserver process distributes using a form of encryption that is intermediate in complexity and security between the unencrypted and encrypted levels set by the -clear and -crypt arguments. Do not use this argument, because the upclient process does not have a corresponding argument that it can use to request data transfer at this level. -help Prints the online help for this command. All other valid options are ignored. EXAMPLES
The following example bos create command defines and starts an upserver process on the host machine "fs1.abc.com". The last parameter (enclosed in quotes) instructs the upserver process to distribute the contents of the /usr/lib/openafs directory in unencrypted form and the contents of the /etc/openafs/server directory in encrypted form. % bos create -server fs1.abc.com -instance upserver -type simple -cmd "/usr/lib/openafs/upserver /usr/lib/openafs -crypt /etc/openafs/server" PRIVILEGE REQUIRED
The issuer must be logged in as the superuser "root" on a file server machine to issue the command at a command shell prompt. It is conventional instead to create and start the process by issuing the bos create command. SEE ALSO
BosConfig(5), bos_create(8), upclient(8) COPYRIGHT
IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved. This documentation is covered by the IBM Public License Version 1.0. It was converted from HTML to POD by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell. OpenAFS 2012-03-26 UPSERVER(8)