Using In-transit TLS Encryption
In-transit encryption using oci-fss-utils or stunnel provides a way to secure your data between instances and mounted file systems using TLS v.1.2 (Transport Layer Security) encryption. Together with other methods of security such as Oracle Cloud Infrastructure
Vault and File Storage's encryption-at-rest, in-transit encryption provides for end-to-end security.
If you use Kerberos for authentication, the KRB5P security option provides authentication over NFS, data integrity (unauthorized modification of data in-transit), and data privacy as an alternative in-transit encryption option.
- For general information about getting started with file systems, see Overview of File Storage.
- For more information on the Vault service, see Overview of Vault.
- For more information on securing your file system, see About File Storage Security and the Securing File Storage reference in the Security Guide.
In-transit encryption using oci-fss-utils or stunnel doesn't require any updates to your file system's mount target or export configuration, but the steps differ for Linux users and Windows users.
Prerequisites
Add the required rules to the security list for the mount target subnet. Alternatively, you can add the following rules to a Network Security Group (NSG) and then add the mount target to the NSG. For more information and instructions about adding security list rules for File Storage, see Configuring VCN Security Rules for File Storage, in particular Scenario C: Mount target and instance use TLS in-transit encryption.
Only the rules for TCP port 2051 are required for encrypted access.
In-transit Encryption for Linux Users
To enable in-transit encryption, you install a package called oci-fss-utils on the instance. The oci-fss-utils is available for the following instance types:
- Oracle Linux, CentOS 7 x86
- Oracle Linux, CentOS 8 x86
- Oracle Linux, CentOS 9 x86
- Oracle Linux, CentOS 7 Arm*
- Oracle Linux, CentOS 8 Arm*
- Oracle Linux, CentOS 9 Arm*
*Oracle offers an Arm-based compute platform based on the Ampere Altra processor. See Arm-Based Compute for more information.
How In-transit Encryption is Enabled
The oci-fss-utils package creates a network namespace and virtual
network interface on your instance and provides a local NFS endpoint. The
oci-fss-utils package also runs a forwarder process in the
background called oci-fss-forwarder.
The network namespace isolates the forwarder process from your instance's networking environment. The virtual network interface provides the forwarder process a unique IP address. The local NFS endpoint provides NFS connection capability.
The file system is mounted using a special command that initiates encryption. After the file system is mounted, the oci-fss-forwarder process connects the local NFS client to the NFS endpoint. The process then receives requests from the NFS client, encrypts them and sends them to the mount target using a TLS tunnel.
Here are the general steps for setting up In-transit encryption:
- Ensure that you meet the prerequisites before setting up in-transit encryption.
- Download the
oci-fss-utilspackage. For instructions, see Task 1: Download the OCI-FSS-UTILS package. - Install the
oci-fss-utilspackage on the instance. For instructions, see Task 2: Install the OCI-FSS-UTILS package on Oracle Linux or CentOS. - Use the in-transit encryption command to mount the file system. For instructions, see Task 3: Mount the file system with the encryption command.
Limitations and Considerations
- The in-transit encryption installation package is distributed as an RPM for Oracle Linux and CentOS and can be downloaded at cloud-infrastructure-file-storage-downloads.html
- You must install the
oci-fss-utilspackage on every instance that requires encrypted access to a mount target. - The number of encrypted NFS/TLS connections for a single mount target is limited to 4096.
- DNS hostnames aren't supported for mounting encrypted file systems with
oci-fss-forwarder. Use the mount target IP address to mount encrypted file systems.
If you're not using the latest version of the
oci-fss-utils package, you might experience SSL connection failures. SSL connection failures can cause NFSv3 operations to fail. We recommend that you always upgrade to the latest version of the oci-fss-utils package as soon as it's available. See File Storage Release Notes for information about new RPM version releases.
Setting up In-transit Encryption for Linux
If you're installing the TLS utility on an Oracle Linux instance, skip this task and start from Step 3 in Task 2: Install the OCI-FSS-UTILS package on Oracle Linux or CentOS.
Internet access is required to download the RPM installation package. If the destination
instance doesn't have internet access, you can download the RPM to a staging instance on
your network and then use the scp command to securely copy the RPM from
the staging instance to the destination instance.
The scp command requires an SSH key pair to authenticate a remote user. If your instances are UNIX-style systems, you probably already have the ssh-keygen utility installed. To check if it's installed, open a shell or terminal and type ssh-keygen on the command line. If it's not installed, you can obtain OpenSSH for UNIX from http://www.openssh.com/portable.html.
-
(Optional) Create a directory for the RPM installation package on the destination instance. For example:
sudo mkdir -p /<rpm_directory_name> -
Download the
oci-fss-utilspackage from cloud-infrastructure-file-storage-downloads.html to the directory on the destination instance or to a staging instance on your network.If you downloaded the package directly to the destination instance, skip the next step and proceed directly to Task 2: Install the OCI-FSS-UTILS package on Oracle Linux or CentOS.
If you downloaded the package to a staging instance, proceed to the next step in these instructions.
-
Open a terminal window on the staging instance, and use the
scpcommand to securely copy the RPM from the staging instance to the destination instance. For example:scp -i <private_key> <downloaded_file_name> <username>@<destination_public_ip_address>:/<rpm_directory_name>After the RPM package is downloaded to the target instance, proceed to Task 2: Install the OCI-FSS-UTILS package on Oracle Linux or CentOS.
- Open a terminal window on the destination instance.
-
If the file name of the downloaded package doesn't include the package version and architecture, use the following command to identify the RPM file to be installed:
rpm -qp <downloaded_file_name>After the package is identified, rename the file using the RPM returned by the query. For example:
mv <downloaded_file_name> $(rpm -qp <downloaded_file_name>).rpm -
Install the package.
-
If you downloaded the package, install it using the following command:
sudo yum localinstall oci-fss-utils-<version>.rpm -
Oracle Linux users can directly install the TLS utility from the Oracle Linux yum repository.
Ensure that the Oracle developer yum repository is enabled for the version of Oracle Linux. For example, replace <version> with 7, 8, or 9 in the following command:
sudo yum-config-manager --enable ol<version>_developerInstall the package using the following command:
sudo yum install oci-fss-utils
-
The package creates a namespace called ns1 in your instance, which contains a default network interface for ethernet traffic. A network interface pair is created for each mount target.
After the package has finished installing, proceed to Task 3: Mount the file system with the encryption command.
- Open a terminal window in your instance.
-
Create a mount point by typing the following, replacing
yourmountpointwith the local directory from which you want to access your file system.sudo mkdir -p /mnt/yourmountpoint -
Mount the file system using the following command:
sudo mount -t oci-fss 10.x.x.x:/fs-export-path /mnt/yourmountpointReplace
10.x.x.x:with the local subnet IP address assigned to your mount target,fs-export-pathwith the export path you specified when associating the file system with the mount target, andyourmountpointwith the path to the local mount point. The export path is the path to the file system (relative to the mount target IP address).If you have installedoci-fss-utilsversion 2.0-1 or above, you can mount the file system in FIPS approved mode by including-o fipsin the mount command. For example:sudo mount -t oci-fss -o fips 10.x.x.x:/fs-export-path /mnt/yourmountpointImportant
DNS hostnames are not currently supported for mounting file systems with themount -t oci-fsscommand. You must use the mount target IP address.Example output from the
mount -t oci-fsscommand:Created symlink from /etc/systemd/system/multi-user.target.wants/oci-fss-2.service to /usr/lib/systemd/system/oci-fss-2.service.Each time you mount a file system using this command, a new
oci-fssservice is initiated with an incrementing sequence number between 2 and 255. For example,oci-fss-2.service,oci-fss-3.service, and so on.Tip
You can use the
resvportoption to restrict the client to using a specific reserved port. For example:sudo mount -t oci-fss -o resvport=900 10.x.x.x:/fs-export-path /mnt/yourmountpoint
Managing In-transit Encryption for Linux
Auto-mount ensures that a file system is automatically re-mounted on an instance if it is rebooted.
- Open a terminal window on the instance. Mount the file system as described in Task 2: Install the OCI-FSS-UTILS package on Oracle Linux or CentOS.
-
Open the
/etc/fstabfile for editing:cd /etcvi fstab -
Add the following line to the fstab file:
10.x.x.x:/fs-export-path /mnt/yourmountpoint oci-fss x-systemd.requires=oci-fss-init.service,defaults,nofail 0 0Replace
10.x.x.x:with the local subnet IP address assigned to your mount target,fs-export-pathwith the export path you specified when associating the file system with the mount target, andyourmountpointwith the path to the local mount point.If you have installedoci-fss-utilsversion 2.0-1 or above, you can mount the file system in FIPS approved mode by including-o fipsin the mount command. For example:10.x.x.x:/fs-export-path /mnt/yourmountpoint oci-fss x-systemd.requires=oci-fss-init.service,defaults,nofail,fips 0 0Important
DNS hostnames are not currently supported for mounting file systems with themount -t oci-fsscommand. You must use the mount target IP address.Tip
You can use the resvport option to restrict the client to using a specific reserved port. For example:
10.x.x.x:/fs-export-path /mnt/yourmountpoint oci-fss x-systemd.requires=oci-fss-init.service,defaults,nofail,resvport=900 0 0
When you unmount a file system, you must use another oci-fss-utils
command to ensure that the associated local network namespace is removed:
- Open a terminal window on the instance.
-
Use the following command to unmount the file system:
sudo umount -t oci-fss /mnt/yourmountpointReplace
yourmountpointwith the path to the local mount point.
- First, unmount all mounted file systems. For instructions, see To unmount a file system.
- Open a terminal window on the instance.
-
Type the following command to uninstall the
oci-fsspackage:sudo yum remove oci-fss-utils
In-transit Encryption for Windows Users
Windows clients can use stunnel to enable in-transit encryption to file systems.
Limitations and Considerations
- The number of encrypted NFS/TLS connections for a single mount target is limited to 64. This limitation is caused by TLS memory requirements. Unlike NFS connections, TLS connections do not share memory buffers. So, once a TLS connection has been established, the allocated memory stays dedicated to it.
- DNS hostnames are not supported for mounting encrypted file systems. Use the mount target IP address to mount encrypted file systems.
Setting up In-transit Encryption for Windows
These instructions describe how to install and set up stunnel to use in-transit encryption with your file systems. Ensure that you meet the prerequisites before setting up in-transit encryption.
You can automate this process by using a batch script that contains the following steps.
Setup Tasks
-
Open Windows PowerShell on your target instance and use the following command to install the Windows NFS Client:
Install-WindowsFeature NFS-ClientAfter the client is installed, proceed to Task 2: Download and Install stunnel.
-
Download and install stunnel from https://www.stunnel.org/downloads.html.
Note
The last installation step requests certificate information. Entering a value here is optional.By default, stunnel is installed to the following directory:
C:\Program Files (x86)\stunnel -
Open the file
C:\Program Files (x86)\stunnel\config\stunnel.cfgfor editing and specify the following configuration:[mount] client=yes accept=127.0.0.1:2048 connect=10.0.1.155:2051 [nfs] client=yes accept=127.0.0.1:2049 connect=10.0.1.155:2051 [nlm] client=yes accept=127.0.0.1:2050 connect=10.0.1.155:2051 [rpcbind] client=yes accept=127.0.0.1:111 connect=10.0.1.155:2051 -
Start stunnel using
C:\Program Files (x86)\stunnel\bin\tstunnel.exe.Proceed to Task 3: Mount and Test Your Connection.
Open a command prompt and type the following series of commands:
-
Mount the file system:
mount \\127.0.0.1\fss z: -
Test the connection to the file system by listing the contents of the directory:
dir z: -
Unmount the file system:
umount z: