this post was submitted on 25 Jul 2025
20 points (95.5% liked)

Linux

12291 readers
66 users here now

Welcome to c/linux!

Welcome to our thriving Linux community! Whether you're a seasoned Linux enthusiast or just starting your journey, we're excited to have you here. Explore, learn, and collaborate with like-minded individuals who share a passion for open-source software and the endless possibilities it offers. Together, let's dive into the world of Linux and embrace the power of freedom, customization, and innovation. Enjoy your stay and feel free to join the vibrant discussions that await you!

Rules:

  1. Stay on topic: Posts and discussions should be related to Linux, open source software, and related technologies.

  2. Be respectful: Treat fellow community members with respect and courtesy.

  3. Quality over quantity: Share informative and thought-provoking content.

  4. No spam or self-promotion: Avoid excessive self-promotion or spamming.

  5. No NSFW adult content

  6. Follow general lemmy guidelines.

founded 2 years ago
MODERATORS
MigratingtoLemmy@lemmy.world
20
Demystifying secure NFS (blogsystem5.substack.com)
submitted 1 week ago by qaz@lemmy.world to c/linux@lemmy.world
7 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] partial_accumen@lemmy.world 5 points 1 week ago (2 children)

Having gone through this hard journey before, I was surprised to see the alternative to NFSv4 /w encryption (via the traditional Kerberos path ) in Oracle Cloud. Its built into their guest environment agent in their prebacked Linux images and can be added to any other modern Linux. It does the encryption-in-transit via TLS v1.3 and the agent dynamically creates an stunnel upon request to the file system. This is really slick for a number of different reasons including not having to set up or maintain Kerberos for it, but it also means that encryption-in-transit works on NFSv3!

Mount command works the same as before with the exception of the -t argument:

sudo mount -t oci-fss 10.x.x.x:/fs-export-path /mnt/yourmountpoint

source

I haven't looked to see if there is a non Oracle Cloud implementation of this method by some other open source project or vendor though. I understand that the compatibility is dependent on the backend support which your Synology NAS likely doesn't support. I thought I'd share this for other folks that do enterprise stuff that have been through your pain before. Lots of us are dealing with legacy systems and still need to reach compliance goals to pass regulatory audits.

[–] InnerScientist@lemmy.world 7 points 1 week ago (1 children)

NFS traffic can be encrypted using TLS as of Linux 6.5 using the xprtsec=tls mount option. To begin, install the ktls-utils package on the client and server, and follow the below configuration steps for each.

https://wiki.archlinux.org/title/NFS#TLS_encryption

[–] partial_accumen@lemmy.world 2 points 1 week ago

Nice! I'm glad this exists outside of Oracle Cloud. Thanks for sharing that.

[–] qaz@lemmy.world 2 points 1 week ago (1 children)

But this method still allows IP spoofing to access the NFS share right?

[–] partial_accumen@lemmy.world 0 points 1 week ago

When you say IP spoofing, do you mean via NAT or port redirection in a router through to the NFS host on the backend?