[hcoop/debian/openafs.git] / doc / man-pages / pod1 / fs_setcrypt.pod

=head1 NAME

fs_setcrypt - Enables of disables the encryption of AFS file transfers

=head1 SYNOPSIS

=for html
<div class="synopsis">

B<fs setcrypt> S<<< [B<-crypt>] <I<on/off>> >>> [B<-help>]

=for html
</div>

=head1 DESCRIPTION

The B<fs setcrypt> command sets the status of network traffic encryption
for file traffic in the AFS client. This encryption applies to file
traffic going to and coming from the AFS File Server for users with valid
tokens.  This command does not control the encryption used for
authentication, which uses Kerberos 5 or klog/kaserver. The complement of
this command is B<fs getcrypt>, which shows the status of encryption on
the client.

The default encryption status is enabled on Windows. It is disabled on all
non-Windows clients by default. You may enable encryption by default on
non-Windows platforms by executing B<fs setcrypt -crypt on> immediately
after the client daemon starts. For example, on Linux, you can do this
within the SysV init script, or with systemd's ExecStartPost parameter.

This is a global setting and applies to all subsequent connections to an
AFS File Server from this Cache Manager. There is no way to enable or
disable encryption for specific connections.

=head1 CAUTIONS

AFS uses an encryption scheme called fcrypt, based on but slightly weaker
than DES, and there is currently no way to specify a different encryption
mechanism. Because fcrypt and DES are obsolete, the user must decide how
much to trust the encryption. Consider using a Virtual Private Network at
the IP level if better encryption is needed.

Encrypting file traffic requires a token. Unauthenticated connections or
connections authorized via IP-based ACLs will not be encrypted even when
encryption is turned on.

=head1 OPTIONS

=over 4

=item B<-crypt> <I<on/off>>

This is the only option to B<fs setcrypt>. The B<-crypt> option takes
either C<on> or C<off>. C<on> enables encryption. C<off> disables
encryption. Since this is the only option, the C<-crypt> flag may be
omitted.

C<0> and C<1> or C<true> and C<false> are not supported as replacements
for C<on> and C<off>.

=item B<-help>

Prints the online help for this command. All other valid options are
ignored.

=back

=head1 OUTPUT

This command produces no output other than error messages.

=head1 EXAMPLES

There are only four ways to invoke B<fs setcrypt>.  Either of:

   % fs setcrypt -crypt on
   % fs setcrypt on

will enable encryption for authenticated connections and:

   % fs setcrypt -crypt off
   % fs setcrypt off

will disable encryption.

=head1 PRIVILEGE REQUIRED

The issuer must be logged in as the local superuser root.

=head1 SEE ALSO

L<fs_getcrypt(1)>

The description of the fcrypt encryption mechanism at
L<http://surfvi.com/~ota/fcrypt-paper.txt>.

=head1 COPYRIGHT

Copyright 2007 Jason Edgecombe <jason@rampaginggeek.com>

This documentation is covered by the BSD License as written in the
doc/LICENSE file. This man page was written by Jason Edgecombe for
OpenAFS.
Commit	Line	Data
805e021f CE	1	=head1 NAME
	2
	3	fs_setcrypt - Enables of disables the encryption of AFS file transfers
	4
	5	=head1 SYNOPSIS
	6
	7	=for html
	8	<div class="synopsis">
	9
	10	B<fs setcrypt> S<<< [B<-crypt>] <I<on/off>> >>> [B<-help>]
	11
	12	=for html
	13	</div>
	14
	15	=head1 DESCRIPTION
	16
	17	The B<fs setcrypt> command sets the status of network traffic encryption
	18	for file traffic in the AFS client. This encryption applies to file
	19	traffic going to and coming from the AFS File Server for users with valid
	20	tokens. This command does not control the encryption used for
	21	authentication, which uses Kerberos 5 or klog/kaserver. The complement of
	22	this command is B<fs getcrypt>, which shows the status of encryption on
	23	the client.
	24
	25	The default encryption status is enabled on Windows. It is disabled on all
	26	non-Windows clients by default. You may enable encryption by default on
	27	non-Windows platforms by executing B<fs setcrypt -crypt on> immediately
	28	after the client daemon starts. For example, on Linux, you can do this
	29	within the SysV init script, or with systemd's ExecStartPost parameter.
	30
	31	This is a global setting and applies to all subsequent connections to an
	32	AFS File Server from this Cache Manager. There is no way to enable or
	33	disable encryption for specific connections.
	34
	35	=head1 CAUTIONS
	36
	37	AFS uses an encryption scheme called fcrypt, based on but slightly weaker
	38	than DES, and there is currently no way to specify a different encryption
	39	mechanism. Because fcrypt and DES are obsolete, the user must decide how
	40	much to trust the encryption. Consider using a Virtual Private Network at
	41	the IP level if better encryption is needed.
	42
	43	Encrypting file traffic requires a token. Unauthenticated connections or
	44	connections authorized via IP-based ACLs will not be encrypted even when
	45	encryption is turned on.
	46
	47	=head1 OPTIONS
	48
	49	=over 4
	50
	51	=item B<-crypt> <I<on/off>>
	52
	53	This is the only option to B<fs setcrypt>. The B<-crypt> option takes
	54	either C<on> or C<off>. C<on> enables encryption. C<off> disables
	55	encryption. Since this is the only option, the C<-crypt> flag may be
	56	omitted.
	57
	58	C<0> and C<1> or C<true> and C<false> are not supported as replacements
	59	for C<on> and C<off>.
	60
	61	=item B<-help>
	62
	63	Prints the online help for this command. All other valid options are
	64	ignored.
65
66	=back
67
68	=head1 OUTPUT
69
70	This command produces no output other than error messages.
71
72	=head1 EXAMPLES
73
74	There are only four ways to invoke B<fs setcrypt>. Either of:
75
76	% fs setcrypt -crypt on
77	% fs setcrypt on
78
79	will enable encryption for authenticated connections and:
80
81	% fs setcrypt -crypt off
82	% fs setcrypt off
83
84	will disable encryption.
85
86	=head1 PRIVILEGE REQUIRED
87
88	The issuer must be logged in as the local superuser root.
89
90	=head1 SEE ALSO
91
92	L<fs_getcrypt(1)>
93
94	The description of the fcrypt encryption mechanism at
95	L<http://surfvi.com/~ota/fcrypt-paper.txt>.
96
97	=head1 COPYRIGHT
98
99	Copyright 2007 Jason Edgecombe <jason@rampaginggeek.com>
100
101	This documentation is covered by the BSD License as written in the
102	doc/LICENSE file. This man page was written by Jason Edgecombe for
103	OpenAFS.