xenial (1) fs_setcrypt.1.gz

Provided by: openafs-client_1.6.15-1ubuntu1.1_amd64 bug

NAME
       fs_setcrypt - Enables of disables the encryption of AFS file transfers


SYNOPSIS
       fs setcrypt [-crypt] <on/off> [-help]


DESCRIPTION
       The fs setcrypt command sets the status of network traffic encryption for file traffic in the AFS client.
       This encryption applies to file traffic going to and coming from the AFS File Server for users with valid
       tokens.  This command does not control the encryption used for authentication, which uses Kerberos 5 or
       klog/kaserver. The complement of this command is fs getcrypt, which shows the status of encryption on the
       client.

       The default encryption status is enabled on Windows. It is disabled on all non-Windows clients by
       default. You may enable encryption by default on non-Windows platforms by executing fs setcrypt -crypt on
       immediately after the client daemon starts. For example, on Linux, you can do this within the SysV init
       script, or with systemd's ExecStartPost parameter.

       This is a global setting and applies to all subsequent connections to an AFS File Server from this Cache
       Manager. There is no way to enable or disable encryption for specific connections.


CAUTIONS
       AFS uses an encryption scheme called fcrypt, based on but slightly weaker than DES, and there is
       currently no way to specify a different encryption mechanism. Because fcrypt and DES are obsolete, the
       user must decide how much to trust the encryption. Consider using a Virtual Private Network at the IP
       level if better encryption is needed.

       Encrypting file traffic requires a token. Unauthenticated connections or connections authorized via IP-
       based ACLs will not be encrypted even when encryption is turned on.


OPTIONS
       -crypt <on/off>
           This is the only option to fs setcrypt. The -crypt option takes either "on" or "off". "on" enables
           encryption. "off" disables encryption. Since this is the only option, the "-crypt" flag may be
           omitted.

           0 and 1 or "true" and "false" are not supported as replacements for "on" and "off".

       -help
           Prints the online help for this command. All other valid options are ignored.


OUTPUT
       This command produces no output other than error messages.


EXAMPLES
       There are only four ways to invoke fs setcrypt.  Either of:

          % fs setcrypt -crypt on
          % fs setcrypt on

       will enable encryption for authenticated connections and:

          % fs setcrypt -crypt off
          % fs setcrypt off

       will disable encryption.


PRIVILEGE REQUIRED
       The issuer must be logged in as the local superuser root.


SEE ALSO
       fs_getcrypt(1)

       The description of the fcrypt encryption mechanism at <http://surfvi.com/~ota/fcrypt-paper.txt>.


       Copyright 2007 Jason Edgecombe <jason@rampaginggeek.com>

       This documentation is covered by the BSD License as written in the doc/LICENSE file. This man page was
       written by Jason Edgecombe for OpenAFS.