| View previous topic :: View next topic |
| Author |
Message |
Cr0t
l33t
Joined: 27 Apr 2002
Posts: 945
Location: USA
|
 Posted: Sat Aug 25, 2018 6:12 pm Post subject: ext4 encryption shared over NFS4 |
 |
|
I am trying to share an encrypted ext4 directory over nfs4. The directory is shared via (/etc/exports) | Code: | | /home/VAULT 192.168.0.0/26(sync,no_root_squash,rw,no_subtree_check) |
After the server starts up, I add the ext4 key and locally everything looks great. I add the key as a local user and NOT as root. | Code: | | /usr/sbin/e4crypt add_key -S $CRYPTOSALT $ENCRYPTFOLDER |
At this point, I start nfs and the client mounts it like this | Code: | | datastorm:/home/VAULT /mnt/LAN/VAULT nfs4 rw,rsize=65536,wsize=65536,intr,noatime,retrans=15 0 0 |
The client has access to the directory structure and some of the file names are even how they are supposed to be, however, the majority of the file names are encrypted and none of the files are readable. When I try to `cat` a file, I get "Operation not permitted"
Any ideas?
_________________
cya |
|
| Back to top |
|
 |
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Sun Aug 26, 2018 9:06 am Post subject: |
|
|
your server is badly exporting as nfs4, nfs4 need a rootnfs (which is mark with fsid=0), and directories are attach to it ; because you have not create any, your /home/VAULT should be per default use as the rootnfs
and the way a client mount an nfs as 3 or 4 (because 4 is compatible) depends on how the client ask for the mount
to mount that as nfs3: datastorm:/home/VAULT /mnt/LAN/VAULT nfs nfsvers=3,vers=3
and as nfs4: datastorm:/ /mnt/LAN/VAULT nfs
keep in mind the nfsroot, because in nfs4 your exported /home/VAULT is taken as / ; for the client in nfs4 no /home/VAULT exists at all, a client referencing it as /home/VAULT is trying to point to the server structure /home/VAULT/home/VAULT
in nfs4, exported directories are all attach to that nfsroot structure, meaning if you want export a directory that is outside it, you must bind it to another one that is inside it.
if it help you get the idea, here's a real example
| Code: | /export 192.168.0.0/24(rw,sec=sys,fsid=0,no_root_squash,no_subtree_check,nohide,async,anonuid=250,anongid=250)
/export/kernel 192.168.0.0/24(rw,no_subtree_check,async,nohide)
/export/distfiles 192.168.0.0/24(rw,no_subtree_check,async,no_root_squash,nohide,secure,anonuid=250,anongid=250)
|
note that kernel and distfiles are binds to be part of the nfsroot structure
to mount as nfs3 client do: server:/export/distfiles /somedir nfs rw,users,nfsvers=3,vers=3
to use it as nfs4 client do : server:/distfiles /somedir nfs rw,users
it depends on nfs4 implementations, but in real nfs4 doing this is invalid: server:/export/distfiles, as it mean you are looking for /export/export/distfiles directory, which does not exists.
I suppose first thing you should do is fixing that mess. Next to that maybe someone could help you with your encryption issue. |
|
| Back to top |
|
|
Cr0t
l33t
Joined: 27 Apr 2002
Posts: 945
Location: USA
|
| Posted: Mon Aug 27, 2018 1:50 pm Post subject: |
|
|
I added fsid to my home export and changed the mount option. | Code: | /home 192.168.0.0/26(rw,sync,fsid=0,no_subtree_check)
/home/VAULT 192.168.0.0/26(sync,all_squash,no_subtree_check) |
I did not expect this to help, but this is what a `find /mnt/LAN/VAULT -type f` reveals | Code: | ...
find: ‘VAULT/AB/xJzsIfhxhIdtog7HGBc8FbuG6NA/OtK31r9117t033xw3S07WC/ZSfHwZnMeEYAxlN4c+hTMaMT8eI’: Permission denied
...
VAULT/AC/iFUYyPp1BbJXPxG+HT3YdBb0xfB/V0LN5s6bSmP2CQ0ObHyNuA/_WgR+93mXzNXNpqFowO,rlau4SO8IlDae
...
VAULT/AD/readme.txt
... |
touching a file just hangs.
For testing purposes, I setup samba and sharing works as expected.
_________________
cya |
|
| Back to top |
|
|
Yamakuzure
Advocate
Joined: 21 Jun 2006
Posts: 2305
Location: Adendorf, Germany
|
| Posted: Mon Aug 27, 2018 2:25 pm Post subject: |
|
|
| Cr0t wrote: | | I added fsid to my home export and changed the mount option. |
And died you issue "exportfs -r -f" on your server after changing /etc/exports?
btw.: The option all_squash may not be what you want. It means that all access is changed to nobody:nogroup. Does nobody have access to your files and directories?
_________________
Edited 220,176 times by Yamakuzure |
|
| Back to top |
|
|
Cr0t
l33t
Joined: 27 Apr 2002
Posts: 945
Location: USA
|
| Posted: Mon Aug 27, 2018 11:27 pm Post subject: |
|
|
| Yamakuzure wrote: | | Cr0t wrote: | | I added fsid to my home export and changed the mount option. |
And died you issue "exportfs -r -f" on your server after changing /etc/exports?
btw.: The option all_squash may not be what you want. It means that all access is changed to nobody:nogroup. Does nobody have access to your files and directories? |
I restarted nfs and tried all different kind of combinations of nfs settings. All the files are encrypted.
_________________
cya |
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 559
|
| Posted: Tue Aug 28, 2018 2:51 am Post subject: |
|
|
I tried this for myself in a virtual machine as the OP did it. It doesn't work for me either.
BUT when I run e4crypt as root and add it to root seession, it works! (You're probably seeing a mix of stuff due to attribute caching. Pass the -o noac option on the client to turn it off) This sort of make sense: The NFS server needs access to the key in the keying, and although you might think it impersonates the owner of the file and search that user's keyring for the keys, it doesn't. It gets its keys from root. How exactly the NFS server (with is own session) gets the key from another session (even though they might be running as the same user) evades me however. I can't see how it works. Perhaps it SHOULDN'T work....
Note that given the purposes ext4 file encryption is used for, you probably shouldn't be exporting encrypted data anyways. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
