From: Arno Wagner <arno@wagner.name>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] encrypt NFS
Date: Fri, 28 Oct 2011 10:00:26 +0200 [thread overview]
Message-ID: <20111028080025.GA20382@tansi.org> (raw)
In-Reply-To: <CAEHjwJ6_=MYwWxyjRB4GMQBLHuvokSHdx4a=Ub51RU1J-_BcYw@mail.gmail.com>
Dependst on your threat model. You could tunnel unencrypted NFS over some
VPN tunnel (open VPN, e.g.). You could do a network-block-device export,
whoch should be encryptable in the standard way. You could export NFS with
a file in it and have that file contain an encrypted LUKS container that
gets loop-mounted on the target. I am sure other options exist.
So ask yourself:
- What does the attacker have access to?
- What can the attacker do at the access point? (With regard to his
capabilities.)
- Does this need to be exported to one or several targets?
- Does the exporting host need access to the exported data?
Arno
On Thu, Oct 27, 2011 at 07:09:19PM -0400, Gary Webster wrote:
> Thanks very much for the replies.
> That was going to be my next question: Are there other practical ways to do
> this?
>
> So, is ecryptfs no good, & are there any other options?
>
>
> On Thu, Oct 27, 2011 at 7:06 PM, Roscoe <eocsor@gmail.com> wrote:
>
> > While I'm not confident of the quality, this would be one of the
> > places ecryptfs fits into.
> >
> > On Fri, Oct 28, 2011 at 9:36 AM, Gary Webster <webster@lexmark.com> wrote:
> > > Hello.
> > > Sorry if this is a FAQ. I've done some searching, & didn't find anything
> > > concrete.
> > > How/Can I encrypt an NFS mount (from the client)?
> > > Thanks.
> > >
> > > _______________________________________________
> > > dm-crypt mailing list
> > > dm-crypt@saout.de
> > > http://www.saout.de/mailman/listinfo/dm-crypt
> >
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
prev parent reply other threads:[~2011-10-28 8:00 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-27 22:36 [dm-crypt] encrypt NFS Gary Webster
2011-10-27 22:47 ` anton ivanov
2011-10-27 23:06 ` Roscoe
2011-10-27 23:09 ` Gary Webster
2011-10-28 8:00 ` Arno Wagner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111028080025.GA20382@tansi.org \
--to=arno@wagner.name \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.