We're starting a project to provide a set of AFS servers and a file space with additional security restrictions around who can access it so that it's suitable for storing data subject to various regulatory requirements. This space will require using either strong TLS or a VPN to access any files in that space.
One of the concerns raised by our Information Security Office is that a primary point of this space is to get the data off of people's hard drives and into central storage that can be managed securely. If the data persists in users' caches after they disconnect from the VPN required to access the secure space directly, this would partly defeat this purpose. What would be the best way to force a purge of the user's AFS cache when they disconnect from the VPN, or at least ensure that the data doesn't persist on the local system for longer than a few hours after they finish working on it? Setting a lifetime for data in the cache would be sufficient, but I don't think there's a way to do that. Would the best way to try to tackle this be to use fs setcache to reduce and then enlarge the cache as part of some script associated with the VPN configuration? Is there any simpler way? We'll need to address this for both Windows and Mac AFS clients. (Linux is possible but less likely for this particular use case.) -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
