Slashdot Mirror

← Back to Stories (view on slashdot.org)

Encrypt NFSv4 with TLS Encryption Using Stunnel (linuxjournal.com)

Posted by EditorDavid on from the cloaking-cleartext dept.

The systems and database administrator for a Fortune 500 company notes that while NFS is "decades old and predating Linux...the most obvious feature missing from NFSv4 is native, standalone encryption." emil (Slashdot reader #695) summarizes this article from Linux Journal: NFS is the most popular remote file system in the Linux, UNIX, and greater POSIX community. The NFS protocol pushes file traffic over cleartext connections in the default configuration, which is poison to sensitive information.

TLS can wrap this traffic, finally bringing wire security to files vulnerable to compromise in transit. Before using a cloud provider's toolset, review NFS usage and encrypt where necessary.
The article's author complains that Google Cloud "makes no mention of data security in its documented procedures," though "the performance penalty for tunneling NFS over stunnel is surprisingly small...."

"While the crusade against telnet may have been largely won, Linux and the greater UNIX community still have areas of willful blindness. NFS should have been secured long ago, and it is objectionable that a workaround with stunnel is even necessary."

7 of 83 comments (clear)

  1. Use the right options by El+Cubano · · Score: 4, Insightful

    sec=krb5p

  2. Misses the point of NFS by guruevi · · Score: 5, Insightful

    NFS is unencrypted exactly because of the overhead it brings and the fact that within a small network the risk is relatively small to non-existent.

    NFS has a number of assumptions that WAN links don't provide (eg stability). Use a different protocol if you want security and stability over WAN.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
    1. Re:Misses the point of NFS by iggymanz · · Score: 2, Insightful

      actually, NFS has encryption option, and the article tries to justify this extraneous stunnel solution by stating "waaah, it's too hard to do the built in..." which is bullshit

      You can do NFS securely and without stunnel. end of story.

  3. It's not really a work around by rsilvergun · · Score: 3, Insightful

    it's a Unix philosophy: lots of smaller tools working well together instead of one big tool that tries to do everything and just turns into a mess.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  4. Use GSSAPI by sydsavage · · Score: 2

    NFSv4 _does_ have native encryption, but it requires the use of GSSAPI (kerberos).

    1. Re:Use GSSAPI by Desler · · Score: 3, Informative

      Yes and the article addresses that:

      The sec=krb5p option will encrypt NFSv4 traffic in a Kerberos realm, but requiring this infrastructure is inappropriate in hosted environments and is generally far from helpful. Basic access to symmetric cryptography does not and should not mandate such enormous baggage.

  5. IPsec by pD-brane · · Score: 3, Insightful

    You could also do NFS over IPsec.

    NFSv3 could be fine as well.

    Often no need for complicated designs like NFSv4 and Kerberos.