On 1/9/2010 4:33 PM, Russ Allbery wrote: > Jeffrey Altman <[email protected]> writes: > >> For Windows you will want to do two things: > >> 1. install the cache file in an encrypted directory that is restricted >> to the SYSTEM account. > > Ah, this is a good idea. Is this something that we can easily do as part > of the AFS installer?
You can create an "afsdhook.dll" exporting an AfsdInitHook() function. This function is called before the cache initialization is started. You can use it to enforce the appropriate ACLs and encryption mode. The DLL can then be added to the installer. > Do we need a separate product to do the encryption, > or do current versions of Windows support this internally? (We do have a > whole-disk encryption product that we've been deploying, but my guess is > that the people using this new service and the people using whole-disk > encryption won't be slightly the same.) What version of Windows will you be using? NTFS Encryption should be available in any version you would be using. >> 2. Add "fs flushall" to the VPN disconnect script. > > This sounds great. Thank you! Another thing you could do is automate the flush operation from within the afsdhook.dll AfsdDaemonHook() if there is a method of detecting when the VPN is active and then not. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
