* [dm-crypt] encrypt NFS @ 2011-10-27 22:36 Gary Webster 2011-10-27 22:47 ` anton ivanov 2011-10-27 23:06 ` Roscoe 0 siblings, 2 replies; 5+ messages in thread From: Gary Webster @ 2011-10-27 22:36 UTC (permalink / raw) To: dm-crypt [-- Attachment #1: Type: text/plain, Size: 151 bytes --] Hello. Sorry if this is a FAQ. I've done some searching, & didn't find anything concrete. How/Can I encrypt an NFS mount (from the client)? Thanks. [-- Attachment #2: Type: text/html, Size: 239 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] encrypt NFS 2011-10-27 22:36 [dm-crypt] encrypt NFS Gary Webster @ 2011-10-27 22:47 ` anton ivanov 2011-10-27 23:06 ` Roscoe 1 sibling, 0 replies; 5+ messages in thread From: anton ivanov @ 2011-10-27 22:47 UTC (permalink / raw) To: Gary Webster; +Cc: dm-crypt Hello, you can't. Cryptsetup is for encrypting block devices atop of which file system is created. You have two options: 1) encrypting partiotion/hdd on NFS-server, creating fs on it and set up NFS. 2) you can create file large enough on NFS, make a loop device from it and encrypt this loop device. Regards. ai. On Fri, Oct 28, 2011 at 01:36, Gary Webster <webster@lexmark.com> wrote: > Hello. > Sorry if this is a FAQ. I've done some searching, & didn't find anything > concrete. > How/Can I encrypt an NFS mount (from the client)? > Thanks. > > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] encrypt NFS 2011-10-27 22:36 [dm-crypt] encrypt NFS Gary Webster 2011-10-27 22:47 ` anton ivanov @ 2011-10-27 23:06 ` Roscoe 2011-10-27 23:09 ` Gary Webster 1 sibling, 1 reply; 5+ messages in thread From: Roscoe @ 2011-10-27 23:06 UTC (permalink / raw) To: Gary Webster; +Cc: dm-crypt While I'm not confident of the quality, this would be one of the places ecryptfs fits into. On Fri, Oct 28, 2011 at 9:36 AM, Gary Webster <webster@lexmark.com> wrote: > Hello. > Sorry if this is a FAQ. I've done some searching, & didn't find anything > concrete. > How/Can I encrypt an NFS mount (from the client)? > Thanks. > > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] encrypt NFS 2011-10-27 23:06 ` Roscoe @ 2011-10-27 23:09 ` Gary Webster 2011-10-28 8:00 ` Arno Wagner 0 siblings, 1 reply; 5+ messages in thread From: Gary Webster @ 2011-10-27 23:09 UTC (permalink / raw) To: Roscoe; +Cc: dm-crypt [-- Attachment #1: Type: text/plain, Size: 743 bytes --] Thanks very much for the replies. That was going to be my next question: Are there other practical ways to do this? So, is ecryptfs no good, & are there any other options? On Thu, Oct 27, 2011 at 7:06 PM, Roscoe <eocsor@gmail.com> wrote: > While I'm not confident of the quality, this would be one of the > places ecryptfs fits into. > > On Fri, Oct 28, 2011 at 9:36 AM, Gary Webster <webster@lexmark.com> wrote: > > Hello. > > Sorry if this is a FAQ. I've done some searching, & didn't find anything > > concrete. > > How/Can I encrypt an NFS mount (from the client)? > > Thanks. > > > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@saout.de > > http://www.saout.de/mailman/listinfo/dm-crypt > [-- Attachment #2: Type: text/html, Size: 1365 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] encrypt NFS 2011-10-27 23:09 ` Gary Webster @ 2011-10-28 8:00 ` Arno Wagner 0 siblings, 0 replies; 5+ messages in thread From: Arno Wagner @ 2011-10-28 8:00 UTC (permalink / raw) To: dm-crypt Dependst on your threat model. You could tunnel unencrypted NFS over some VPN tunnel (open VPN, e.g.). You could do a network-block-device export, whoch should be encryptable in the standard way. You could export NFS with a file in it and have that file contain an encrypted LUKS container that gets loop-mounted on the target. I am sure other options exist. So ask yourself: - What does the attacker have access to? - What can the attacker do at the access point? (With regard to his capabilities.) - Does this need to be exported to one or several targets? - Does the exporting host need access to the exported data? Arno On Thu, Oct 27, 2011 at 07:09:19PM -0400, Gary Webster wrote: > Thanks very much for the replies. > That was going to be my next question: Are there other practical ways to do > this? > > So, is ecryptfs no good, & are there any other options? > > > On Thu, Oct 27, 2011 at 7:06 PM, Roscoe <eocsor@gmail.com> wrote: > > > While I'm not confident of the quality, this would be one of the > > places ecryptfs fits into. > > > > On Fri, Oct 28, 2011 at 9:36 AM, Gary Webster <webster@lexmark.com> wrote: > > > Hello. > > > Sorry if this is a FAQ. I've done some searching, & didn't find anything > > > concrete. > > > How/Can I encrypt an NFS mount (from the client)? > > > Thanks. > > > > > > _______________________________________________ > > > dm-crypt mailing list > > > dm-crypt@saout.de > > > http://www.saout.de/mailman/listinfo/dm-crypt > > > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-10-28 8:00 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-10-27 22:36 [dm-crypt] encrypt NFS Gary Webster 2011-10-27 22:47 ` anton ivanov 2011-10-27 23:06 ` Roscoe 2011-10-27 23:09 ` Gary Webster 2011-10-28 8:00 ` Arno Wagner
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox