Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
ext4 encryption shared over NFS4
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Cr0t
l33t
l33t


Joined: 27 Apr 2002
Posts: 944
Location: USA

PostPosted: Sat Aug 25, 2018 6:12 pm    Post subject: ext4 encryption shared over NFS4 Reply with quote

I am trying to share an encrypted ext4 directory over nfs4. The directory is shared via (/etc/exports)
Code:
/home/VAULT             192.168.0.0/26(sync,no_root_squash,rw,no_subtree_check)
After the server starts up, I add the ext4 key and locally everything looks great. I add the key as a local user and NOT as root.
Code:
/usr/sbin/e4crypt add_key -S $CRYPTOSALT $ENCRYPTFOLDER
At this point, I start nfs and the client mounts it like this
Code:
datastorm:/home/VAULT   /mnt/LAN/VAULT  nfs4            rw,rsize=65536,wsize=65536,intr,noatime,retrans=15 0 0
The client has access to the directory structure and some of the file names are even how they are supposed to be, however, the majority of the file names are encrypted and none of the files are readable. When I try to `cat` a file, I get "Operation not permitted"


Any ideas?
_________________
cya
    ©®0t
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7470

PostPosted: Sun Aug 26, 2018 9:06 am    Post subject: Reply with quote

your server is badly exporting as nfs4, nfs4 need a rootnfs (which is mark with fsid=0), and directories are attach to it ; because you have not create any, your /home/VAULT should be per default use as the rootnfs

and the way a client mount an nfs as 3 or 4 (because 4 is compatible) depends on how the client ask for the mount
to mount that as nfs3: datastorm:/home/VAULT /mnt/LAN/VAULT nfs nfsvers=3,vers=3
and as nfs4: datastorm:/ /mnt/LAN/VAULT nfs
keep in mind the nfsroot, because in nfs4 your exported /home/VAULT is taken as / ; for the client in nfs4 no /home/VAULT exists at all, a client referencing it as /home/VAULT is trying to point to the server structure /home/VAULT/home/VAULT
in nfs4, exported directories are all attach to that nfsroot structure, meaning if you want export a directory that is outside it, you must bind it to another one that is inside it.

if it help you get the idea, here's a real example
Code:
/export      192.168.0.0/24(rw,sec=sys,fsid=0,no_root_squash,no_subtree_check,nohide,async,anonuid=250,anongid=250)
/export/kernel   192.168.0.0/24(rw,no_subtree_check,async,nohide)
/export/distfiles   192.168.0.0/24(rw,no_subtree_check,async,no_root_squash,nohide,secure,anonuid=250,anongid=250)

note that kernel and distfiles are binds to be part of the nfsroot structure

to mount as nfs3 client do: server:/export/distfiles /somedir nfs rw,users,nfsvers=3,vers=3
to use it as nfs4 client do : server:/distfiles /somedir nfs rw,users

it depends on nfs4 implementations, but in real nfs4 doing this is invalid: server:/export/distfiles, as it mean you are looking for /export/export/distfiles directory, which does not exists.

I suppose first thing you should do is fixing that mess. Next to that maybe someone could help you with your encryption issue.
Back to top
View user's profile Send private message
Cr0t
l33t
l33t


Joined: 27 Apr 2002
Posts: 944
Location: USA

PostPosted: Mon Aug 27, 2018 1:50 pm    Post subject: Reply with quote

I added fsid to my home export and changed the mount option.
Code:
/home           192.168.0.0/26(rw,sync,fsid=0,no_subtree_check)
/home/VAULT             192.168.0.0/26(sync,all_squash,no_subtree_check)
I did not expect this to help, but this is what a `find /mnt/LAN/VAULT -type f` reveals
Code:
...
find: ‘VAULT/AB/xJzsIfhxhIdtog7HGBc8FbuG6NA/OtK31r9117t033xw3S07WC/ZSfHwZnMeEYAxlN4c+hTMaMT8eI’: Permission denied
...
VAULT/AC/iFUYyPp1BbJXPxG+HT3YdBb0xfB/V0LN5s6bSmP2CQ0ObHyNuA/_WgR+93mXzNXNpqFowO,rlau4SO8IlDae
...
VAULT/AD/readme.txt
...
touching a file just hangs.

For testing purposes, I setup samba and sharing works as expected.
_________________
cya
    ©®0t
Back to top
View user's profile Send private message
Yamakuzure
Advocate
Advocate


Joined: 21 Jun 2006
Posts: 2280
Location: Adendorf, Germany

PostPosted: Mon Aug 27, 2018 2:25 pm    Post subject: Reply with quote

Cr0t wrote:
I added fsid to my home export and changed the mount option.
And died you issue "exportfs -r -f" on your server after changing /etc/exports?

btw.: The option all_squash may not be what you want. It means that all access is changed to nobody:nogroup. Does nobody have access to your files and directories?
_________________
Important German:
  1. "Aha" - German reaction to pretend that you are really interested while giving no f*ck.
  2. "Tja" - German reaction to the apocalypse, nuclear war, an alien invasion or no bread in the house.
Back to top
View user's profile Send private message
Cr0t
l33t
l33t


Joined: 27 Apr 2002
Posts: 944
Location: USA

PostPosted: Mon Aug 27, 2018 11:27 pm    Post subject: Reply with quote

Yamakuzure wrote:
Cr0t wrote:
I added fsid to my home export and changed the mount option.
And died you issue "exportfs -r -f" on your server after changing /etc/exports?

btw.: The option all_squash may not be what you want. It means that all access is changed to nobody:nogroup. Does nobody have access to your files and directories?
I restarted nfs and tried all different kind of combinations of nfs settings. All the files are encrypted.
_________________
cya
    ©®0t
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 530

PostPosted: Tue Aug 28, 2018 2:51 am    Post subject: Reply with quote

I tried this for myself in a virtual machine as the OP did it. It doesn't work for me either.

BUT when I run e4crypt as root and add it to root seession, it works! (You're probably seeing a mix of stuff due to attribute caching. Pass the -o noac option on the client to turn it off) This sort of make sense: The NFS server needs access to the key in the keying, and although you might think it impersonates the owner of the file and search that user's keyring for the keys, it doesn't. It gets its keys from root. How exactly the NFS server (with is own session) gets the key from another session (even though they might be running as the same user) evades me however. I can't see how it works. Perhaps it SHOULDN'T work....

Note that given the purposes ext4 file encryption is used for, you probably shouldn't be exporting encrypted data anyways.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum