NAME

fs_setcrypt - Modifies the state of encryption for Cache Manager operations

SYNOPSIS

fs setcrypt [-crypt] <on/auth/off> [-help]

DESCRIPTION

The fs setcrypt command sets the status of network traffic encryption for the Cache Manager. This encryption applies to communications between the Cache Manager and File Servers or Location Servers.

The actual use of encryption and the chosen encryption algorithm is determined by the existence of valid rxkad or yfs-rxgk tokens and the security policies (if any) applied to the File Servers.

The default encryption status is enabled. You can alter the default encryption state by executing fs setcrypt -crypt off or fs setcrypt -crypt auth immediately after the client daemon starts. For example, on Unix/Linux, you can do this using the yfs-client.conf(5) [afsd] postscript parameter.

CAUTIONS

When rxkad tokens are in use, network communications will be encrypted using an encryption algorithm called fcrypt. Fcrypt is based on DES but is slightly weaker. Fcrypt and DES are obsolete. Consider upgrading the cell to use yfs-rxgk to obtain support for AES256 encryption.

Encrypting file traffic requires a token. Unauthenticated connections or connections authorized via IP-based ACLs will not be encrypted even when encryption is turned on.

OPTIONS

-crypt <on/auth/off>

This is the only option to fs setcrypt. The -crypt option takes either on, auth, or off. on enables encryption. auth enables integrity mode. off disables encryption and integrity protection. Since this is the only option, the -crypt flag may be omitted.

0 and 1 or true and false are not supported as replacements for on and off.

-help

Prints the online help for this command. All other valid options are ignored.

OUTPUT

This command produces no output other than error messages.

EXAMPLES

There are only four ways to invoke fs setcrypt. Either of:

   % fs setcrypt -crypt on
   % fs setcrypt on

will enable encryption for authenticated connections and:

   % fs setcrypt -crypt off
   % fs setcrypt off

will disable encryption.

PRIVILEGE REQUIRED

The issuer must be logged in as the local superuser root.

SEE ALSO

fs_getcrypt(1), yfs-client.conf(5)

The description of the fcrypt encryption mechanism at http://surfvi.com/~ota/fcrypt-paper.txt.

COPYRIGHT

Copyright 2007 Jason Edgecombe <jason@rampaginggeek.com>

This documentation is covered by the BSD License as written in the doc/LICENSE file. This man page was written by Jason Edgecombe for OpenAFS.

ACKNOWLEDGEMENTS

"AFS" is a registered mark of International Business Machines Corporation, used under license. (USPTO Registration 1598389)

"OpenAFS" is a registered mark of International Business Machines Corporation. (USPTO Registration 4577045)

The "AuriStor" name, log 'S' brand mark, and icon are registered marks of AuriStor, Inc. (USPTO Registrations 4849419, 4849421, and 4928460) (EUIPO Registration 015539653).

"Your File System" is a registered mark of AuriStor, Inc. (USPTO Registrations 4801402 and 4849418).

"YFS" and "AuriStor File System" are trademarks of AuriStor, Inc.