.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
.    if \nF \{\
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{\
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "FS_SETCRYPT 1"
.TH FS_SETCRYPT 1 "2022-12-22" "OpenAFS" "AFS Command Reference"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
fs_setcrypt \- Enables of disables the encryption of AFS file transfers
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBfs setcrypt\fR [\fB\-crypt\fR]\ <\fIon/off\fR> [\fB\-help\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBfs setcrypt\fR command sets the status of network traffic encryption
for file traffic in the \s-1AFS\s0 client. This encryption applies to file
traffic going to and coming from the \s-1AFS\s0 File Server for users with valid
tokens.  This command does not control the encryption used for
authentication, which uses Kerberos 5 or klog/kaserver. The complement of
this command is \fBfs getcrypt\fR, which shows the status of encryption on
the client.
.PP
The default encryption status is enabled on Windows. It is disabled on all
non-Windows clients by default. You may enable encryption by default on
non-Windows platforms by executing \fBfs setcrypt \-crypt on\fR immediately
after the client daemon starts. For example, on Linux, you can do this
within the SysV init script, or with systemd's ExecStartPost parameter.
.PP
This is a global setting and applies to all subsequent connections to an
\&\s-1AFS\s0 File Server from this Cache Manager. There is no way to enable or
disable encryption for specific connections.
.SH "CAUTIONS"
.IX Header "CAUTIONS"
\&\s-1AFS\s0 uses an encryption scheme called fcrypt, based on but slightly weaker
than \s-1DES,\s0 and there is currently no way to specify a different encryption
mechanism. Because fcrypt and \s-1DES\s0 are obsolete, the user must decide how
much to trust the encryption. Consider using a Virtual Private Network at
the \s-1IP\s0 level if better encryption is needed.
.PP
Encrypting file traffic requires a token. Unauthenticated connections or
connections authorized via IP-based ACLs will not be encrypted even when
encryption is turned on.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-crypt\fR <\fIon/off\fR>" 4
.IX Item "-crypt <on/off>"
This is the only option to \fBfs setcrypt\fR. The \fB\-crypt\fR option takes
either \f(CW\*(C`on\*(C'\fR or \f(CW\*(C`off\*(C'\fR. \f(CW\*(C`on\*(C'\fR enables encryption. \f(CW\*(C`off\*(C'\fR disables
encryption. Since this is the only option, the \f(CW\*(C`\-crypt\*(C'\fR flag may be
omitted.
.Sp
\&\f(CW0\fR and \f(CW1\fR or \f(CW\*(C`true\*(C'\fR and \f(CW\*(C`false\*(C'\fR are not supported as replacements
for \f(CW\*(C`on\*(C'\fR and \f(CW\*(C`off\*(C'\fR.
.IP "\fB\-help\fR" 4
.IX Item "-help"
Prints the online help for this command. All other valid options are
ignored.
.SH "OUTPUT"
.IX Header "OUTPUT"
This command produces no output other than error messages.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
There are only four ways to invoke \fBfs setcrypt\fR.  Either of:
.PP
.Vb 2
\&   % fs setcrypt \-crypt on
\&   % fs setcrypt on
.Ve
.PP
will enable encryption for authenticated connections and:
.PP
.Vb 2
\&   % fs setcrypt \-crypt off
\&   % fs setcrypt off
.Ve
.PP
will disable encryption.
.SH "PRIVILEGE REQUIRED"
.IX Header "PRIVILEGE REQUIRED"
The issuer must be logged in as the local superuser root.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBfs_getcrypt\fR\|(1)
.PP
The description of the fcrypt encryption mechanism at
<http://surfvi.com/~ota/fcrypt\-paper.txt>.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2007 Jason Edgecombe <jason@rampaginggeek.com>
.PP
This documentation is covered by the \s-1BSD\s0 License as written in the
doc/LICENSE file. This man page was written by Jason Edgecombe for
OpenAFS.