From 751a8114ef3afe9abe7692b3974b070db6a705a2 Mon Sep 17 00:00:00 2001 From: Sebastien Buisson Date: Mon, 2 May 2022 15:36:00 +0200 Subject: [PATCH] LU-15787 sec: document enc-unaware clients on enc files Document the behavior of encryption-unaware clients when they access encrypted files. Test-Parameters: trivial Signed-off-by: Sebastien Buisson Change-Id: I0354e3051e10aa0542baeb8e34c6201d47e65710 Reviewed-on: https://review.whamcloud.com/47182 Tested-by: jenkins Reviewed-by: Andreas Dilger Tested-by: Maloo --- .../client_side_encryption/access_semantics.txt | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/Documentation/client_side_encryption/access_semantics.txt b/Documentation/client_side_encryption/access_semantics.txt index 7ed0bc7..7cac67a 100644 --- a/Documentation/client_side_encryption/access_semantics.txt +++ b/Documentation/client_side_encryption/access_semantics.txt @@ -105,6 +105,28 @@ It is not currently possible to backup and restore encrypted files without the encryption key. This would require special APIs which have not yet been implemented. +From encryption-unaware clients +------------------------------- + +Encryption-unaware clients are Lustre clients explicitly compiled without +encryption support (``--enable-crypto=no``), or compiled for a kernel that +does not have necessary features to support Lustre client encryption (older +than CentOS/RHEL 8.1, Ubuntu 18.04, SLES 15 SP2), or Lustre clients with a +version older than 2.14. + +From those clients, we prevent manipulating encrypted files and directories, +in order to avoid file system corruption. +The forbidden operations are: +- open; +- create; +- link; +- rename; +- migrate. +Encryption-unaware clients get -ENOKEY if they try to perform these operations. +Note that encryption-unaware clients can still list directory content, stat or +remove files, but they have to use encrypted names for that, which may contain +non-printable characters. + Encryption policy enforcement ============================= -- 1.8.3.1