Storing files encrypted and sharing them over NFS or other

Question

I have a tricky question for you, well at least seems tricky to me.

Here is the setup. I have a linux file server and another linux server. I am looking to use the disk space from the filer server on the other linux server. The only catch is that I would like the data to be encrypted on the filer server to avoid have random people looking into the data.

So to sum up, the data needs to be encrypted on the file server but mountable on the other linux server via NFS or some other protocol.

The solution needs to be at least free and/or open source.

Thank you in advance for your help !

score 2 · Accepted Answer · answered May 29 '09 at 08:17

2

I think encfs is a good starting point. Since I'm also interested in this, I'll try and set one up and let you know how it goes.

answered May 29 '09 at 08:17

khosrow

4,163
3
27
33

Right on ! That's just what I was looking for, I'll be looking into it :-) – Antoine Benkemoun May 29 '09 at 08:20

score 0 · Answer 2 · answered Oct 30 '20 at 10:59

It depends how you've encrypted the datas. eg: on centos, if your system disk is encrypted (so passphrase at boottime) once the system is booted you can share your datas via NFS as a normal share. eg: on synology and other systems that encrypt datas at an "application level" you can't use NFS but you can use CIFS. I suppose that's because NFS read the bytes (so encrypted ones) at a lower level than CIFS (post decryption level). With this way of sharing encrypted data, performance will be lower anyway so NFS vs CIFS is no more a topic to discuss :)

Zoredache · Answer 3 · 2009-05-29T08:22:18.923

The only catch is that I would like the data to be encrypted

Since this is Linux look at dm-crypt, or truecrypt.

With dm-crypt or truecrypt, will anyone with access to the filesystem be able to access the data ?

This depends on what you mean by anyone and access. If you haven't stored your keys on the box and some evil person steals the the computer or the drive, the encrypted data is going to be unreadable. If the system is left on and the encrypted filesystem is left mounted, and a person is able to login to the system with an account that has permissions on the files then then yes, they will be able to access the data. If you control access correctly, the nobody but authorized users should be able to access the data.

The data needs to be encrypted on the file server but mountable on the other linux server via NFS or some other protocol.

How the data is encrypted on the server is generally unrelated to how you serve it. Keep in mind that most file serving protocols you will use will not be encrypted, so people will be able to see your files as they are used over the network unless you do something to encrypt them in transit. You could use something like IPSEC, a VPN between the hosts, or sshfs.

Thank you for your answer ! With dm-crypt or truecrypt, will anyone with access to the filesystem be able to access the data ? — Antoine Benkemoun, May 29 '09 at 08:12

score 0 · Answer 4 · answered May 29 '09 at 13:39

I'd use a static SSHFS mount to encrypt the traffic. You can certainly use whatever method you want to encrypt the file store on the server, but as Zoredache said, that's only part of the solution. Most current distros have a package for SSHFS, which usually requires FUSE.

Storing files encrypted and sharing them over NFS or other

4 Answers4