LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Data Encryption for NFS Share

[ILUG] Data Encryption for NFS Share

paul at clubi.ie paul at clubi.ie
Sun Feb 6 18:30:03 GMT 2011 

On Tue, 25 Jan 2011, Walter Faleiro wrote:

> I need to encrypt the data on the NFS share.

First off, do you want to encrypt the data on the server doing NFS. 
Or do you want your clients to do the encryption? I.e. what are you 
trying to protect against?

a) Protecting clients' data from the server, encrypting data so that 
the server can not read it

b) Protecting the data on the server from offline attacks, so that if 
it is powered down the data won't be easily accessible?

c) Protecting the data in transit from the client to the server?

For case a, you can store big encrypted files on the server and 
loopback mount and decrypt them on the clients (using Luks, 
whatever). You seem to have gotten advice on how to do this already. 
However note that you'll be running another filesystems 'inside' the 
decrypted file. Most filesystems (e.g. Ext{2,3,4}) are
*not* designed to be accessed by multiple computers at the same 
time - you'd need a special cluster filesystem (GFS, OCFS).

Further, layering this on top of NFS doesn't make sense (and may have 
consistency issues..). You'd probably be much better advised to use a 
block-orientated network disk-sharing protocol, like iSCSI or "ATA 
over Ethernet" (AoE), than a file-orientated one like NFS.

For case b, you can just use Luks or whatever on the server. Fairly 
standard. Clients don't know anything about it. Obviously case a 
covers case b already.

For case c, your options are:

- RPCSEC-GSS: GSS in theory supports a number of security mechanisms, 
but with Linux NFS your only options are krb5p, i.e. using Kerberos 
v5. Which perhaps you'll find too much hassle to setup.

- IPSec: Encrypt all data. Not always the most trivial to get 
working.

- Use SSHFS to access the files, as others have advised. This needs 
no support from the server, other than an SSH server. Further, it's 
trivial to setup client-side, even from the desktop.

regards,
-- 
Paul Jakma	paul at jakma.org	@pjakma	Key ID: 64A2FF6A
Fortune:
You will be singled out for promotion in your work.

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell