Mailing List Archives

Public Access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Windows encrypt on disk for execute nodes ofjob files


Colin,
     I just did some testing on W2K server which is what I am running. It looks
like by default Windows is adding the administrator's key to the keyring for all
encrypted files. This will mean that administrator will always be able to read
encrypted files. From the other discussions on this I would guess that XP
doesn't do this. But it looks like it was working all the time.

Thanks again for your help.

Cheers Paul



|--------+------------------------>
|        |          Colin Stolley |
|        |          <stolley@xxxxx|
|        |          sc.edu>       |
|        |                        |
|        |          20/08/2004    |
|        |          12:51 PM      |
|        |          Please respond|
|        |          to            |
|        |          Condor-Users  |
|        |          Mail List     |
|        |                        |
|--------+------------------------>
  >----------------------------------------------------------------------------|
  |                                                                            |
  |      To:     Condor-Users Mail List <condor-users@xxxxxxxxxxx>             |
  |      cc:     (bcc: Paul Chubb/Staff/ABS)                                   |
  |      Subject:     Re: [Condor-users] Windows encrypt on disk for execute   |
  |       nodes of job     files                                               |
  >----------------------------------------------------------------------------|





>Hi,
>     Todd Tannenbaums presentation on "whats new" at the condor week in april
>stated that on disk encryption was now available for Windows in version 6.6. I
>have noted a thread on Windows EFS support. Is this was the presentation
>referance was to?
>
>
I'm not Todd, but I'm pretty sure that he was referring to EFS support.

>In either case how do you get it to work? I have added the encrypt execute
>directory entry to the config file as suggested in the list thread but this
>doesn't cause encryption on Windows 2000 where I am testing. The thread left
the
>discussion at that point. Is XP required?
>
>
No, Windows 2000 should work fine. Here's two things to check:

1. Verify that you've correctly spelled

ENCRYPT_EXECUTE_DIRECTORY = True

in your config file, and that this setting is reflected on your execute
machines.

2. While a job is running, if you can get an administrator shell
started, you should find a hidden Desktop.ini file in the execute
directory (the dir_#### directory underneath EXECUTE). The file should
contain two lines:

[Encryption]
Disable=0

if the file isn't there, or doesn't contain those two lines, check the
starter log for error messages.

Assuming all goes well, you should be able to do a 'dir' on the execute
directory, but attempting to read the contents of the files should fail
with Access Denied. Only the person that created the execute directory
(in this case, probably condor-reuse-vm1) should be able to successfully
read any of the files.

Colin


_______________________________________________
Condor-users mailing list
Condor-users@xxxxxxxxxxx
http://lists.cs.wisc.edu/mailman/listinfo/condor-users






-----------------------------------------------
ABS Web Site:  www.abs.gov.au