this post was submitted on 25 Jul 2025
19 points (95.2% liked)

Linux

12192 readers
91 users here now

Welcome to c/linux!

Welcome to our thriving Linux community! Whether you're a seasoned Linux enthusiast or just starting your journey, we're excited to have you here. Explore, learn, and collaborate with like-minded individuals who share a passion for open-source software and the endless possibilities it offers. Together, let's dive into the world of Linux and embrace the power of freedom, customization, and innovation. Enjoy your stay and feel free to join the vibrant discussions that await you!

Rules:

  1. Stay on topic: Posts and discussions should be related to Linux, open source software, and related technologies.

  2. Be respectful: Treat fellow community members with respect and courtesy.

  3. Quality over quantity: Share informative and thought-provoking content.

  4. No spam or self-promotion: Avoid excessive self-promotion or spamming.

  5. No NSFW adult content

  6. Follow general lemmy guidelines.

founded 2 years ago
MODERATORS
MigratingtoLemmy@lemmy.world
19
Demystifying secure NFS (blogsystem5.substack.com)
submitted 2 days ago by qaz@lemmy.world to c/linux@lemmy.world
7 comments fedilink hide all child comments
top 7 comments
sorted by: hot top controversial new old
[–] partial_accumen@lemmy.world 6 points 2 days ago (2 children)

Having gone through this hard journey before, I was surprised to see the alternative to NFSv4 /w encryption (via the traditional Kerberos path ) in Oracle Cloud. Its built into their guest environment agent in their prebacked Linux images and can be added to any other modern Linux. It does the encryption-in-transit via TLS v1.3 and the agent dynamically creates an stunnel upon request to the file system. This is really slick for a number of different reasons including not having to set up or maintain Kerberos for it, but it also means that encryption-in-transit works on NFSv3!

Mount command works the same as before with the exception of the -t argument:

sudo mount -t oci-fss 10.x.x.x:/fs-export-path /mnt/yourmountpoint

source

I haven't looked to see if there is a non Oracle Cloud implementation of this method by some other open source project or vendor though. I understand that the compatibility is dependent on the backend support which your Synology NAS likely doesn't support. I thought I'd share this for other folks that do enterprise stuff that have been through your pain before. Lots of us are dealing with legacy systems and still need to reach compliance goals to pass regulatory audits.

[–] InnerScientist@lemmy.world 8 points 2 days ago (1 children)

NFS traffic can be encrypted using TLS as of Linux 6.5 using the xprtsec=tls mount option. To begin, install the ktls-utils package on the client and server, and follow the below configuration steps for each.

https://wiki.archlinux.org/title/NFS#TLS_encryption

[–] partial_accumen@lemmy.world 2 points 2 days ago

Nice! I'm glad this exists outside of Oracle Cloud. Thanks for sharing that.

[–] qaz@lemmy.world 2 points 1 day ago (1 children)

But this method still allows IP spoofing to access the NFS share right?

[–] partial_accumen@lemmy.world 0 points 1 day ago

When you say IP spoofing, do you mean via NAT or port redirection in a router through to the NFS host on the backend?

[–] sudoku@programming.dev 2 points 2 days ago (1 children)

What is the alternative if you don't want to go insane trying to setup all of that? Samba?

[–] possiblylinux127@lemmy.zip 1 points 1 day ago

Unencrypted NFS in its own isolated vlan