Commit | Line | Data |
---|---|---|
805e021f CE |
1 | =head1 NAME |
2 | ||
3 | fs_setcrypt - Enables of disables the encryption of AFS file transfers | |
4 | ||
5 | =head1 SYNOPSIS | |
6 | ||
7 | =for html | |
8 | <div class="synopsis"> | |
9 | ||
10 | B<fs setcrypt> S<<< [B<-crypt>] <I<on/off>> >>> [B<-help>] | |
11 | ||
12 | =for html | |
13 | </div> | |
14 | ||
15 | =head1 DESCRIPTION | |
16 | ||
17 | The B<fs setcrypt> command sets the status of network traffic encryption | |
18 | for file traffic in the AFS client. This encryption applies to file | |
19 | traffic going to and coming from the AFS File Server for users with valid | |
20 | tokens. This command does not control the encryption used for | |
21 | authentication, which uses Kerberos 5 or klog/kaserver. The complement of | |
22 | this command is B<fs getcrypt>, which shows the status of encryption on | |
23 | the client. | |
24 | ||
25 | The default encryption status is enabled on Windows. It is disabled on all | |
26 | non-Windows clients by default. You may enable encryption by default on | |
27 | non-Windows platforms by executing B<fs setcrypt -crypt on> immediately | |
28 | after the client daemon starts. For example, on Linux, you can do this | |
29 | within the SysV init script, or with systemd's ExecStartPost parameter. | |
30 | ||
31 | This is a global setting and applies to all subsequent connections to an | |
32 | AFS File Server from this Cache Manager. There is no way to enable or | |
33 | disable encryption for specific connections. | |
34 | ||
35 | =head1 CAUTIONS | |
36 | ||
37 | AFS uses an encryption scheme called fcrypt, based on but slightly weaker | |
38 | than DES, and there is currently no way to specify a different encryption | |
39 | mechanism. Because fcrypt and DES are obsolete, the user must decide how | |
40 | much to trust the encryption. Consider using a Virtual Private Network at | |
41 | the IP level if better encryption is needed. | |
42 | ||
43 | Encrypting file traffic requires a token. Unauthenticated connections or | |
44 | connections authorized via IP-based ACLs will not be encrypted even when | |
45 | encryption is turned on. | |
46 | ||
47 | =head1 OPTIONS | |
48 | ||
49 | =over 4 | |
50 | ||
51 | =item B<-crypt> <I<on/off>> | |
52 | ||
53 | This is the only option to B<fs setcrypt>. The B<-crypt> option takes | |
54 | either C<on> or C<off>. C<on> enables encryption. C<off> disables | |
55 | encryption. Since this is the only option, the C<-crypt> flag may be | |
56 | omitted. | |
57 | ||
58 | C<0> and C<1> or C<true> and C<false> are not supported as replacements | |
59 | for C<on> and C<off>. | |
60 | ||
61 | =item B<-help> | |
62 | ||
63 | Prints the online help for this command. All other valid options are | |
64 | ignored. | |
65 | ||
66 | =back | |
67 | ||
68 | =head1 OUTPUT | |
69 | ||
70 | This command produces no output other than error messages. | |
71 | ||
72 | =head1 EXAMPLES | |
73 | ||
74 | There are only four ways to invoke B<fs setcrypt>. Either of: | |
75 | ||
76 | % fs setcrypt -crypt on | |
77 | % fs setcrypt on | |
78 | ||
79 | will enable encryption for authenticated connections and: | |
80 | ||
81 | % fs setcrypt -crypt off | |
82 | % fs setcrypt off | |
83 | ||
84 | will disable encryption. | |
85 | ||
86 | =head1 PRIVILEGE REQUIRED | |
87 | ||
88 | The issuer must be logged in as the local superuser root. | |
89 | ||
90 | =head1 SEE ALSO | |
91 | ||
92 | L<fs_getcrypt(1)> | |
93 | ||
94 | The description of the fcrypt encryption mechanism at | |
95 | L<http://surfvi.com/~ota/fcrypt-paper.txt>. | |
96 | ||
97 | =head1 COPYRIGHT | |
98 | ||
99 | Copyright 2007 Jason Edgecombe <jason@rampaginggeek.com> | |
100 | ||
101 | This documentation is covered by the BSD License as written in the | |
102 | doc/LICENSE file. This man page was written by Jason Edgecombe for | |
103 | OpenAFS. |