Using In-transit Encryption

In-transit encryption provides a way to secure your data between instances and mounted file systems using TLS v.1.2 (Transport Layer Security) encryption. Together with other methods of security such as Oracle Cloud Infrastructure Vault (KMS) and File Storage's encryption-at-rest, in-transit encryption provides for end-to-end security.

How In-transit Encryption is Enabled

In-transit encryption doesn't require any updates to your file system's mount target or export configuration. To enable in-transit encryption, you install a package called oci-fss-utils on your instance. The oci-fss-utils package creates a network namespace and virtual network interface on your instance and provides a local NFS endpoint. The oci-fss-utils package also runs a forwarder process in the background called oci-fss-fowarder.

The network namespace isolates the forwarder process from your instance’s networking environment. The virtual network interface provides the forwarder process a unique IP address. The local NFS endpoint provides NFS connection capability.

The file system is mounted using a special command that initiates encryption. After the file system is mounted, the oci-fss-forwarder process connects the local NFS client to the NFS endpoint. The process then receives requests from the NFS client, encrypts them and sends them to the mount target using a TLS tunnel.

Here are the general steps for setting up In-transit encryption:

  1. Download the oci-fss-utils package. For instructions, see Task 1: Download the OCI-FSS-UTILS package
  2. Install the oci-fss-utils package on the instance. For instructions, see Task 2: Install the OCI-FSS-UTILS package on Oracle Linux or CentOS
  3. Use the in-transit encryption command to mount the file system. For instructions, see Task 3: Mount the file system with the encryption command

Limitations and Considerations

  • The in-transit encryption installation package is distributed as an RPM for Oracle Linux and CentOS and can be downloaded at https://www.oracle.com/downloads/cloud/oci-file-storage-client-downloads.html
  • You must install the oci-fss-utils package on every instance that requires encrypted access to a mount target.
  • The number of encrypted NFS/TLS connections for a single mount target is limited to 64. This limitation is caused by TLS memory requirements. Unlike NFS connections, TLS connections do not share memory buffers. So, once a TLS connection has been established, the allocated memory stays dedicated to it.

Setting up In-transit Encryption

Prerequisites

  • Add the following new rules to the security list for the mount target subnet. Alternatively, you can add the following rules to a Network Security Group (NSG) and then add the mount target to the NSG. For more information and instructions about adding security list rules for File Storage, see Configuring VCN Security Rules for File Storage.
    • A stateful ingress rule allowing TCP traffic to a Destination Port Range of 2051.
    • A stateful egress rule allowing TCP traffic from a Source Port Range of 2051.
    Important

    Standard (unencrypted) access to File Storage mount targets requires access to the following ports:

    • Stateful ingress to TCP ports 111, 2048, 2049, and 2050.
    • Stateful ingress to UDP ports 111 and 2048.
    • Stateful egress from TCP ports 111, 2048, 2049, and 2050.
    • Stateful egress from UDP port 111.

    If you have previously set up rules for standard access, and you want to enforce encrypted access only, then you can disable the standard access ports.

    Only the rules for TCP port 2051 are required for encrypted access.

Setup Tasks

Task 1: Download the OCI-FSS-UTILS package
Task 2: Install the OCI-FSS-UTILS package on Oracle Linux or CentOS
Task 3: Mount the file system with the encryption command

Managing In-transit Encryption

To auto-mount a file system
To unmount a file system
To uninstall the OCI-FSS-UTILS package

Troubleshooting

If you experience issues with in-transit encryption, try the following techniques:

Verify that you have all the security list rules set up correctly for the mount target subnet.

In-transit encryption requires the following security list rules:

  • A stateful ingress rule allowing TCP traffic to a Destination Port Range of 2051.
  • A stateful egress rule allowing TCP traffic from a Source Port Range of 2051.

For more information and instructions, see Security Rules.

Verify that the oci-fss service is running for the mounted file system.

If it is not, restart the service.

To verify the service is running
To start the service

Verify that the namespace ns1 has been created and contains a network interface.

To verify the network namespace

Verify that IP forwarding is running on the instance.

Installing oci-fss-utils automatically turns on IP forwarding. However, you may have other processes running on the instance that disable it.

To verify that IP forwarding is running on the instance
To enable IP forwarding on the instance

Use the tcpdump utility to analyze traffic between the oci-fss service and the NFS client.

To obtain information using TCPDUMP

Use the journalctl command to view any messages that may have been logged by systemd regarding the service.

To obtain information from the SYSTEMD journal