encrypt NFS in transit

Sparkee

Sparkee

Has anyone worked on encrypting NFS via transit?
Goal: have the traffic between the NFS server and client encrypted.
 
On Linux you can use sec=krb5p to enable authentication and encryption of the NFS mount. But I can't find any mention of it in the FreeBSD man pages.
 
SirDice said:
On Linux you can use sec=krb5p to enable authentication and encryption of the NFS mount. But I can't find any mention of it in the FreeBSD man pages.
Click to expand...
exports(5):
Code: 
     -sec=flavor1:flavor2... specifies a colon separated list of acceptable
     security flavors to be used for remote access.  Supported security
     flavors are sys, krb5, krb5i and krb5p.  If multiple flavors are listed,
     they should be ordered with the most preferred flavor first.  If this
     option is not present, the default security flavor list of just sys is
     used.
 
Ah, nice. Could not find it on short notice. krb5 is only authentication, krb5i is authentication plus integrity (signed), and krb5p is authentication plus privacy (encrypted).
 
yuripv79 said:
exports(5):
Code: 
     -sec=flavor1:flavor2... specifies a colon separated list of acceptable
     security flavors to be used for remote access.  Supported security
     flavors are sys, krb5, krb5i and krb5p.  If multiple flavors are listed,
     they should be ordered with the most preferred flavor first.  If this
     option is not present, the default security flavor list of just sys is
     used.
Click to expand...
Those flags force the use of secure authentication, but the actual data streams are not encrypted. If you want Transport Layer Security, start reading at
The -tls, -tlscert and -tlscertuser export options are used to require
the client to use TLS for the mount(s) per RFC NNNN. For NFS mounts
using TLS to work, rpc.tlsservd(8) must be running on the server.
Click to expand...

The rpc.tlsservd(8) man page is probably worth consulting as well.
 
You must log in or register to reply here.
Back
Top