Using In-transit TLS Encryption
In-transit encryption using oci-fss-utils
or stunnel provides a way to secure your data between instances and mounted file systems using TLS v.1.2 (Transport Layer Security) encryption. Together with other methods of security such as Oracle Cloud Infrastructure
Vault and File Storage's encryption-at-rest, in-transit encryption provides for end-to-end security.
If you use Kerberos for authentication, the KRB5P security option provides authentication over NFS, data integrity (unauthorized modification of data in-transit), and data privacy as an alternative in-transit encryption option.
- For general information about getting started with file systems, see Overview of File Storage.
- For more information on the Vault service, see Overview of Vault.
- For more information on securing your file system, see About File Storage Security and the Securing File Storage reference in the Security Guide.
In-transit encryption using oci-fss-utils
or stunnel doesn't require any updates to your file system's mount target or export configuration, but the steps differ for Linux users and Windows users.
Prerequisites
Add the following new rules to the security list for the mount target subnet. Alternatively, you can add the following rules to a Network Security Group (NSG) and then add the mount target to the NSG. For more information and instructions about adding security list rules for File Storage, see Configuring VCN Security Rules for File Storage.
- A stateful ingress rule allowing TCP traffic to a Destination Port Range of 2051.
- A stateful egress rule allowing TCP traffic from a Source Port Range of 2051.
Standard (unencrypted) access to File Storage mount targets requires access to the following ports:
- Stateful ingress to TCP ports 111, 2048, 2049, and 2050.
- Stateful ingress to UDP ports 111 and 2048.
- Stateful egress from TCP ports 111, 2048, 2049, and 2050.
- Stateful egress from UDP port 111.
If you have previously set up rules for standard access, and you want to enforce encrypted access only, then you can disable the standard access ports.
Only the rules for TCP port 2051 are required for encrypted access.
In-transit Encryption for Linux Users
To enable in-transit encryption, you install a package called oci-fss-utils
on the instance. The oci-fss-utils
is available for the following instance types:
- Oracle Linux, CentOS 7 x86
- Oracle Linux, CentOS 8 x86
- Oracle Linux, CentOS 7 Arm*
- Oracle Linux, CentOS 8 Arm*
*Oracle offers an Arm-based compute platform based on the Ampere Altra processor. See Arm-Based Compute for more information.
How In-transit Encryption is Enabled
The oci-fss-utils
package creates a network namespace and virtual
network interface on your instance and provides a local NFS endpoint. The
oci-fss-utils
package also runs a forwarder process in the
background called oci-fss-forwarder
.
The network namespace isolates the forwarder process from your instance's networking environment. The virtual network interface provides the forwarder process a unique IP address. The local NFS endpoint provides NFS connection capability.
The file system is mounted using a special command that initiates encryption. After the file system is mounted, the oci-fss-forwarder
process connects the local NFS client to the NFS endpoint. The process then receives requests from the NFS client, encrypts them and sends them to the mount target using a TLS tunnel.
Here are the general steps for setting up In-transit encryption:
- Ensure that you meet the prerequisites before setting up in-transit encryption.
- Download the
oci-fss-utils
package. For instructions, see Task 1: Download the OCI-FSS-UTILS package. - Install the
oci-fss-utils
package on the instance. For instructions, see Task 2: Install the OCI-FSS-UTILS package on Oracle Linux or CentOS. - Use the in-transit encryption command to mount the file system. For instructions, see Task 3: Mount the file system with the encryption command.
Limitations and Considerations
- The in-transit encryption installation package is distributed as an RPM for Oracle Linux and CentOS and can be downloaded at cloud-infrastructure-file-storage-downloads.html
- You must install the
oci-fss-utils
package on every instance that requires encrypted access to a mount target. - The number of encrypted NFS/TLS connections for a single mount target is limited to 4096.
- DNS hostnames aren't supported for mounting encrypted file systems with
oci-fss-forwarder
. Use the mount target IP address to mount encrypted file systems.
If you're not using the latest version of the
oci-fss-utils
package, you might experience SSL connection failures. SSL connection failures can cause NFSv3 operations to fail. We recommend that you always upgrade to the latest version of the oci-fss-utils
package as soon as it's available. See File Storage Release Notes for information about new RPM version releases.
Setting up In-transit Encryption for Linux
Internet access is required to download the RPM installation package. If the destination
instance doesn't have internet access, you can download the RPM to a staging instance on
your network and then use the scp
command to securely copy the RPM from
the staging instance to the destination instance.
The scp
command requires an SSH key pair to authenticate a remote user. If your instances are UNIX-style systems, you probably already have the ssh-keygen
utility installed. To check if it's installed, open a shell or terminal and type ssh-keygen
on the command line. If it's not installed, you can obtain OpenSSH for UNIX from http://www.openssh.com/portable.html.
-
(Optional) Create a directory for the RPM installation package on the destination instance. For example:
sudo mkdir -p /<rpm_directory_name>
-
Download the
oci-fss-utils
package from cloud-infrastructure-file-storage-downloads.html to the directory on the destination instance or to a staging instance on your network.If you downloaded the package directly to the destination instance, skip the next step and proceed directly to Task 2: Install the OCI-FSS-UTILS package on Oracle Linux or CentOS.
If you downloaded the package to a staging instance, proceed to the next step in these instructions.
-
Open a terminal window on the staging instance, and use the
scp
command to securely copy the RPM from the staging instance to the destination instance. For example:scp -i <private_key> <downloaded_file_name> <username>@<destination_public_ip_address>:/<rpm_directory_name>
After the RPM package is downloaded to the target instance, proceed to Task 2: Install the OCI-FSS-UTILS package on Oracle Linux or CentOS.
- Open a terminal window on the destination instance.
-
If the file name of the downloaded package doesn't include the package version and architecture, use the following command to identify the RPM file to be installed:
rpm -qp <downloaded_file_name>
After the package is identified, rename the file using the RPM returned by the query. For example:
mv <downloaded_file_name> $(rpm -qp <downloaded_file_name>).rpm
-
Install the package using the following command:
sudo yum localinstall oci-fss-utils-<version>.rpm
The package creates a namespace called ns1
in your instance, which contains a default network interface for ethernet traffic. A network interface pair is created for each mount target.
After the package has finished installing, proceed to Task 3: Mount the file system with the encryption command.
- Open a terminal window in your instance.
-
Create a mount point by typing the following, replacing
yourmountpoint
with the local directory from which you want to access your file system.sudo mkdir -p /mnt/yourmountpoint
-
Mount the file system using the following command:
sudo mount -t oci-fss 10.x.x.x:/fs-export-path /mnt/yourmountpoint
Replace
10.x.x.x:
with the local subnet IP address assigned to your mount target,fs-export-path
with the export path you specified when associating the file system with the mount target, andyourmountpoint
with the path to the local mount point. The export path is the path to the file system (relative to the mount target IP address).If you have installedoci-fss-utils
version 2.0-1 or above, you can mount the file system in FIPS approved mode by including-o fips
in the mount command. For example:sudo mount -t oci-fss -o fips 10.x.x.x:/fs-export-path /mnt/yourmountpoint
Important
DNS hostnames are not currently supported for mounting file systems with themount -t oci-fss
command. You must use the mount target IP address.Example output from the
mount -t oci-fss
command:Created symlink from /etc/systemd/system/multi-user.target.wants/oci-fss-2.service to /usr/lib/systemd/system/oci-fss-2.service.
Each time you mount a file system using this command, a new
oci-fss
service is initiated with an incrementing sequence number between 2 and 255. For example,oci-fss-2.service
,oci-fss-3.service
, and so on.Tip
You can use the
resvport
option to restrict the client to using a specific reserved port. For example:sudo mount -t oci-fss -o resvport=900 10.x.x.x:/fs-export-path /mnt/yourmountpoint
Managing In-transit Encryption for Linux
Auto-mount ensures that a file system is automatically re-mounted on an instance if it is rebooted.
- Open a terminal window on the instance. Mount the file system as described in Task 2: Install the OCI-FSS-UTILS package on Oracle Linux or CentOS.
-
Open the
/etc/fstab
file for editing:cd /etc
vi fstab
-
Add the following line to the fstab file:
10.x.x.x:/fs-export-path /mnt/yourmountpoint oci-fss x-systemd.requires=oci-fss-init.service,defaults,nofail 0 0
Replace
10.x.x.x:
with the local subnet IP address assigned to your mount target,fs-export-path
with the export path you specified when associating the file system with the mount target, andyourmountpoint
with the path to the local mount point.If you have installedoci-fss-utils
version 2.0-1 or above, you can mount the file system in FIPS approved mode by including-o fips
in the mount command. For example:10.x.x.x:/fs-export-path /mnt/yourmountpoint oci-fss x-systemd.requires=oci-fss-init.service,defaults,nofail,fips 0 0
Important
DNS hostnames are not currently supported for mounting file systems with themount -t oci-fss
command. You must use the mount target IP address.Tip
You can use the resvport option to restrict the client to using a specific reserved port. For example:
10.x.x.x:/fs-export-path /mnt/yourmountpoint oci-fss x-systemd.requires=oci-fss-init.service,defaults,nofail,resvport=900 0 0
When you unmount a file system, you must use another oci-fss-utils
command to ensure that the associated local network namespace is removed:
- Open a terminal window on the instance.
-
Use the following command to unmount the file system:
sudo umount -t oci-fss /mnt/yourmountpoint
Replace
yourmountpoint
with the path to the local mount point.
- First, unmount all mounted file systems. For instructions, see To unmount a file system.
- Open a terminal window on the instance.
-
Type the following command to uninstall the
oci-fss
package:sudo yum remove oci-fss-utils
In-transit Encryption for Windows Users
Windows clients can use stunnel to enable in-transit encryption to file systems.
Limitations and Considerations
- The number of encrypted NFS/TLS connections for a single mount target is limited to 64. This limitation is caused by TLS memory requirements. Unlike NFS connections, TLS connections do not share memory buffers. So, once a TLS connection has been established, the allocated memory stays dedicated to it.
- DNS hostnames are not supported for mounting encrypted file systems. Use the mount target IP address to mount encrypted file systems.
Setting up In-transit Encryption for Windows
These instructions describe how to install and set up stunnel to use in-transit encryption with your file systems. Ensure that you meet the prerequisites before setting up in-transit encryption.
You can automate this process by using a batch script that contains the following steps.
Setup Tasks
-
Open Windows PowerShell on your target instance and use the following command to install the Windows NFS Client:
Install-WindowsFeature NFS-Client
After the client is installed, proceed to Task 2: Download and Install stunnel.
-
Download and install stunnel from https://www.stunnel.org/downloads.html.
Note
The last installation step requests certificate information. Entering a value here is optional.By default, stunnel is installed to the following directory:
C:\Program Files (x86)\stunnel
-
Open the file
C:\Program Files (x86)\stunnel\config\stunnel.cfg
for editing and specify the following configuration:[mount] client=yes accept=127.0.0.1:2048 connect=10.0.1.155:2051 [nfs] client=yes accept=127.0.0.1:2049 connect=10.0.1.155:2051 [nlm] client=yes accept=127.0.0.1:2050 connect=10.0.1.155:2051 [rpcbind] client=yes accept=127.0.0.1:111 connect=10.0.1.155:2051
-
Start stunnel using
C:\Program Files (x86)\stunnel\bin\tstunnel.exe
.Proceed to Task 3: Mount and Test Your Connection.
Open a command prompt and type the following series of commands:
-
Mount the file system:
mount \\127.0.0.1\fss z:
-
Test the connection to the file system by listing the contents of the directory:
dir z:
-
Unmount the file system:
umount z: