Mailing List Archives

Public Access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Windows encrypt on disk for execute nodes ofjob files


Colin,
     thanks for the response. I have checked again the setting - currently in
the condor_config file on the execute node. I looked for desktop.ini - BTW it is
marked both system and hidden so you have to deal with both for it to be seen.
It is in place and has the lines as shown in your email. The starterlog is not
showing any relevant errors even at D_ALL.

I assume that when the file is encrypted I will see random characters?

I can see cleartext under the local admin account and can also run the
executable. Using another account - that I ensured had file access FC from the
execute directory to and including the desktop.ini file and the text file - I
get errors such as: access denied and ensure that the disk is in the drive
specified. This is using both windows explorer and also the dos command line.

Cheers Paul



|--------+------------------------>
|        |          Colin Stolley |
|        |          <stolley@xxxxx|
|        |          sc.edu>       |
|        |                        |
|        |          20/08/2004    |
|        |          12:51 PM      |
|        |          Please respond|
|        |          to            |
|        |          Condor-Users  |
|        |          Mail List     |
|        |                        |
|--------+------------------------>
  >----------------------------------------------------------------------------|
  |                                                                            |
  |      To:     Condor-Users Mail List <condor-users@xxxxxxxxxxx>             |
  |      cc:     (bcc: Paul Chubb/Staff/ABS)                                   |
  |      Subject:     Re: [Condor-users] Windows encrypt on disk for execute   |
  |       nodes of job     files                                               |
  >----------------------------------------------------------------------------|





>Hi,
>     Todd Tannenbaums presentation on "whats new" at the condor week in april
>stated that on disk encryption was now available for Windows in version 6.6. I
>have noted a thread on Windows EFS support. Is this was the presentation
>referance was to?
>
>
I'm not Todd, but I'm pretty sure that he was referring to EFS support.

>In either case how do you get it to work? I have added the encrypt execute
>directory entry to the config file as suggested in the list thread but this
>doesn't cause encryption on Windows 2000 where I am testing. The thread left
the
>discussion at that point. Is XP required?
>
>
No, Windows 2000 should work fine. Here's two things to check:

1. Verify that you've correctly spelled

ENCRYPT_EXECUTE_DIRECTORY = True

in your config file, and that this setting is reflected on your execute
machines.

2. While a job is running, if you can get an administrator shell
started, you should find a hidden Desktop.ini file in the execute
directory (the dir_#### directory underneath EXECUTE). The file should
contain two lines:

[Encryption]
Disable=0

if the file isn't there, or doesn't contain those two lines, check the
starter log for error messages.

Assuming all goes well, you should be able to do a 'dir' on the execute
directory, but attempting to read the contents of the files should fail
with Access Denied. Only the person that created the execute directory
(in this case, probably condor-reuse-vm1) should be able to successfully
read any of the files.

Colin


_______________________________________________
Condor-users mailing list
Condor-users@xxxxxxxxxxx
http://lists.cs.wisc.edu/mailman/listinfo/condor-users






-----------------------------------------------
ABS Web Site:  www.abs.gov.au