From: Sebastien Buisson Date: Mon, 2 May 2022 13:36:00 +0000 (+0200) Subject: LU-15787 sec: document enc-unaware clients on enc files X-Git-Tag: 2.15.50~1 X-Git-Url: https://git.whamcloud.com/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F82%2F47182%2F2;p=fs%2Flustre-release.git LU-15787 sec: document enc-unaware clients on enc files Document the behavior of encryption-unaware clients when they access encrypted files. Test-Parameters: trivial Signed-off-by: Sebastien Buisson Change-Id: I0354e3051e10aa0542baeb8e34c6201d47e65710 Reviewed-on: https://review.whamcloud.com/47182 Tested-by: jenkins Reviewed-by: Andreas Dilger Tested-by: Maloo --- diff --git a/Documentation/client_side_encryption/access_semantics.txt b/Documentation/client_side_encryption/access_semantics.txt index 7ed0bc7..7cac67a 100644 --- a/Documentation/client_side_encryption/access_semantics.txt +++ b/Documentation/client_side_encryption/access_semantics.txt @@ -105,6 +105,28 @@ It is not currently possible to backup and restore encrypted files without the encryption key. This would require special APIs which have not yet been implemented. +From encryption-unaware clients +------------------------------- + +Encryption-unaware clients are Lustre clients explicitly compiled without +encryption support (``--enable-crypto=no``), or compiled for a kernel that +does not have necessary features to support Lustre client encryption (older +than CentOS/RHEL 8.1, Ubuntu 18.04, SLES 15 SP2), or Lustre clients with a +version older than 2.14. + +From those clients, we prevent manipulating encrypted files and directories, +in order to avoid file system corruption. +The forbidden operations are: +- open; +- create; +- link; +- rename; +- migrate. +Encryption-unaware clients get -ENOKEY if they try to perform these operations. +Note that encryption-unaware clients can still list directory content, stat or +remove files, but they have to use encrypted names for that, which may contain +non-printable characters. + Encryption policy enforcement =============================