LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Data Encryption for NFS Share

[ILUG] Data Encryption for NFS Share

Walter Faleiro curtorkar at gmail.com
Tue Feb 8 13:09:21 GMT 2011 

Hi Paul,
Its b & c.

for b I have taken the advise for LUKS.
For C what we plan to do is separate the server and client vlan. Have a
Display Server in the server VLAN, use software that supports encryption.
Need to figure out if the VNC server that comes with CentOS supports AES
encryption for sessions or go with the SSHFS.

Thanks,
--Walter



On Mon, Feb 7, 2011 at 12:00 AM, <paul at clubi.ie> wrote:

> On Tue, 25 Jan 2011, Walter Faleiro wrote:
>
>  I need to encrypt the data on the NFS share.
>>
>
> First off, do you want to encrypt the data on the server doing NFS. Or do
> you want your clients to do the encryption? I.e. what are you trying to
> protect against?
>
> a) Protecting clients' data from the server, encrypting data so that the
> server can not read it
>
> b) Protecting the data on the server from offline attacks, so that if it is
> powered down the data won't be easily accessible?
>
> c) Protecting the data in transit from the client to the server?
>
> For case a, you can store big encrypted files on the server and loopback
> mount and decrypt them on the clients (using Luks, whatever). You seem to
> have gotten advice on how to do this already. However note that you'll be
> running another filesystems 'inside' the decrypted file. Most filesystems
> (e.g. Ext{2,3,4}) are
> *not* designed to be accessed by multiple computers at the same time -
> you'd need a special cluster filesystem (GFS, OCFS).
>
> Further, layering this on top of NFS doesn't make sense (and may have
> consistency issues..). You'd probably be much better advised to use a
> block-orientated network disk-sharing protocol, like iSCSI or "ATA over
> Ethernet" (AoE), than a file-orientated one like NFS.
>
> For case b, you can just use Luks or whatever on the server. Fairly
> standard. Clients don't know anything about it. Obviously case a covers case
> b already.
>
> For case c, your options are:
>
> - RPCSEC-GSS: GSS in theory supports a number of security mechanisms, but
> with Linux NFS your only options are krb5p, i.e. using Kerberos v5. Which
> perhaps you'll find too much hassle to setup.
>
> - IPSec: Encrypt all data. Not always the most trivial to get working.
>
> - Use SSHFS to access the files, as others have advised. This needs no
> support from the server, other than an SSH server. Further, it's trivial to
> setup client-side, even from the desktop.
>
> regards,
> --
> Paul Jakma      paul at jakma.org  @pjakma Key ID: 64A2FF6A
> Fortune:
> You will be singled out for promotion in your work.
>

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell