FS_SETCRYPT(1)

NAME

fs_setcrypt - Enables of disables the encryption of AFS file transfers

SYNOPSIS

fs setcrypt [-crypt] <on/off> [-help]

DESCRIPTION

The fs setcrypt command sets the status of network traffic encryption for file traffic in the AFS client. This encryption applies to file
traffic going to and coming from the AFS File Server for users with
valid tokens. This command does not control the encryption used for
authentication, which uses Kerberos 5 or klog/kaserver. The complement of this command is fs getcrypt, which shows the status of encryption on the client.

The default encryption status is enabled.

This is a global setting and applies to all subsequent connections to
an AFS File Server from this Cache Manager. There is no way to enable
or disable encryption for specific connections.

CAUTIONS

AFS uses an encryption scheme called fcrypt, based on but slightly
weaker than DES, and there is currently no way to specify a different
encryption mechanism. Because fcrypt and DES are obsolete, the user
must decide how much to trust the encryption. Consider using a Virtual Private Network at the IP level if better encryption is needed.

Encrypting file traffic requires a token. Unauthenticated connections
or connections authorized via IP-based ACLs will not be encrypted even when encryption is turned on.

OPTIONS

-crypt <on/off>
This is the only option to fs setcrypt. The -crypt option takes either "on" or "off". "on" enables encryption. "off" disables
encryption. Since this is the only option, the "-crypt" flag may be omitted.
0 and 1 or "true" and "false" are not supported as replacements for "on" and "off".
-help
Prints the online help for this command. All other valid options
are ignored.

OUTPUT

This command produces no output other than error messages.

EXAMPLES

There are only four ways to invoke fs setcrypt. Either of:
% fs setcrypt -crypt on
% fs setcrypt on
will enable encryption for authenticated connections and:

% fs setcrypt -crypt off
% fs setcrypt off
will disable encryption.

PRIVILEGE REQUIRED

The issuer must be logged in as the local superuser root.

SEE ALSO

fs_getcrypt(1)

The description of the fcrypt encryption mechanism at
<http://surfvi.com/~ota/fcrypt-paper.txt>.

COPYRIGHT

Copyright 2007 Jason Edgecombe <jason@rampaginggeek.com>

This documentation is covered by the BSD License as written in the
doc/LICENSE file. This man page was written by Jason Edgecombe for
OpenAFS.

OpenAFS 2010-05-24 FS_SETCRYPT(1)

Copyright © 2010-2025 Platon Technologies, s.r.o.           Home | Man pages | tLDP | Documents | Utilities | About
Design by styleshout