KeyFileExt - Defines AuriStor File System server encryption keys
The KeyFileExt file defines the server encryption keys that the AuriStor File System services use to decrypt the tokens presented by clients when authenticating network connections. AuriStor File System services perform privileged actions only for clients that possess a token encrypted with one of the keys from the KeyFileExt file. The file must reside in the /etc/yfs/server directory on every server machine.
The AuriStor File System supports two authentication protocols, rxkad and yfs-rxgk. The KeyFileExt file stores keys for both protocols. Each key has a corresponding key version number that distinguishes it from the other keys. The tokens that clients present advertise a key version number the AuriStor File System services use to identify the matching decryption key.
For rxkad authentication,
the KeyFileExt file must include a key with the same key version number and contents as the current key listed for the
afs/cell service principal in the associated Kerberos v5 realm.
For yfs-rxgk authentication, the KeyFileExt file must include a yfs-rxgk key with the same key version number and contents installed on the cell's location servers. Unlike the rxkad key, the yfs-rxgk key is not associated with a Kerberos v5 service principal.
The KeyFileExt file is in binary format, so always use the asetkey command to administer it:
The asetkey add command to add a new key.
The asetkey list command to display the keys.
The asetkey delete command to remove a key from the file.
The asetkey commands must be run on the same server as the KeyFileExt file to update. New rxkad keys should be added from a Kerberos v5 keytab using asetkey add rxkad_krb5 kvno all keytab-file principal. New yfs-rxgk master keys should be set using the random option to asetkey add yfs-rxgk kvno aes256-cts-hmac-sha1-96 random.
In cells that use the Update Server to distribute the contents of the /etc/yfs/server directory, it is customary to edit only the copy of the file stored on the system control machine.
The most common errors caused by changes to KeyFileExt are:
adding an rxkad key that does not match the corresponding key for the Kerberos v5 principal.
Both the key and the key version number must match the key for the corresponding principal,
in the Kerberos v5 realm.
failing to synchronize the contents of the KeyFileExt file across all AuriStor File System servers.
asetkey(8), upclient(8), upserver(8)
Copyright AuriStor, Inc. 2014-2018. https://www.auristor.com/ All Rights Reserved.
"AFS" is a registered mark of International Business Machines Corporation, used under license. (USPTO Registration 1598389)
"OpenAFS" is a registered mark of International Business Machines Corporation. (USPTO Registration 4577045)
The "AuriStor" name, log 'S' brand mark, and icon are registered marks of AuriStor, Inc. (USPTO Registrations 4849419, 4849421, and 4928460) (EUIPO Registration 015539653).
"Your File System" is a registered mark of AuriStor, Inc. (USPTO Registrations 4801402 and 4849418).
"YFS" and "AuriStor File System" are trademarks of AuriStor, Inc.