Configuring an NFS Client with TLS

This task shows how to set up the NFS client to connect securely to a TLS enabled NFS server, ensuring data transmitted between client and server is encrypted.

Ensure that the following are true:

  • The system is running Oracle Linux 9 or later.
  • You have the Certificate Authority (CA) certificate from the NFS server, or have generated a self-signed certificate on the NFS server as described in Generating a Self-Signed Certificate for TLS Authentication.
  • The ktls-utils package is installed.
  1. (Optional) Remove obsolete certificates.

    If you have been using self-signed certificates for testing, it's a good idea to remove any previous, obsolete anchors first. For example, to list the existing anchors and then remove an unwanted anchor:

    trust list
    
    pkcs11:id=%43%0E%35%20%3B%78%60%39%D0%C7%F8%53%1A%B6%73%83%12%90%AC%5D;type=cert
    type: certificate
    label: Test CA
    trust: anchor
    category: authority
    ...
    sudo trust anchor --remove pkcs11:id=%43%0E%35%20%3B%78%60%39%D0%C7%F8%53%1A%B6%73%83%12%90%AC%5D;type=cert
    
  2. Import the certificate into the system trust store.

    Run the following command to add the certificate as a new anchor in the system trust policy store:

    sudo trust anchor cert.pem
  3. Enable and start the TLS daemon.

    Run the following command to enable tlshd immediately and whenever the system reboots:

    sudo systemctl enable --now tlshd.service
  4. Mount the NFS share using TLS encryption.

    Run the following command, replacing nfs-server and path/to/share with the NFS server's host name and the exported directory:

    sudo mount -o xprtsec=tls server-hostname:/path/to/share /mnt/
  5. Verify the connection.

    Run the following command. Look for a message in the output that says the server handshake was successful:

    sudo journalctl -u tlshd