Azure NetApp Files introduced support for client side NFSv4.1 encryption based on Kerberos with the June release. Please note that ANF always encrypts data at rest using the FIPS 140-2 standard. This blog applies specifically to encrypting data traffic between the NFS client and the ANF volume, the in flight data.
ANF supports NFS encryption in Kerberos modes krb5, krb5i, and krb5p using AES-256 encryption.
- krb5 provides user authentication only
- krb5i provides authentication and integrity checksums (to verify data has not been altered)
- krb5p provides authentication, integrity checksums and data payload encryption
Let’s have a look at creating a krb5p volume and how to mount it to a vanilla Ubuntu 18.04 LTS virtual machine. Grab a cup (or pot) of coffee, this is going to be a long one!
Requirements
The Microsoft Docs on Kerberos encryption lists the following requirements.
- Active Directory Domain Services (AD DS) connection to facilitate Kerberos ticketing (KDC server)
- DNS A/PTR record creation for both the client and Azure NetApp Files NFS server IP addresses
- NTP server
Step 1
First we need to configure the Kerberos Realm information for the ANF Active Directory connection. Login to the Azure portal, select Azure NetApp Files –> your account –> Active Directory connections blade. From here either create a new AD connection or edit the existing one.
Enter the AD Server Name and KDC IP (this can be the same server) under the Kerberos Realm section. Additional KDC servers will be discovered through DNS.
Step 2
Navigate to the Volumes blade –> Add Volume. Fill in all settings in the Basics tab, select the Protocol tab and select the following options:
- Protocol type: NFS
- Versions: NFSv4.1
- Kerberos: Enabled
- Export policy: Read & Write –> Kerberos 5p
Click Review and create –> Create.
Step 3
Navigate to the newly created volume and select the Mount instructions. Note items 3 and 4.
When utilizing Kerberos, ANF creates an additional computer account with the prefix NFS, followed by the custom prefix and a random identifier –> NFS-ANFSMB-2DE3 in this example. We need to set the default encryption type to AES 256 for this computer account. This only needs to be done one time per computer account.
The Set-ADComputer cmdlet is a part of the Active Directory PowerShell module. You can run the cmdlet directly on the Domain Controller or on a machine that has RSAT installed. Copy the Set-ADComputer command and execute it in an elevated PowerShell window. Make sure to replace NFS-ANFSMB-55DF with your computer account.Set-ADComputer NFS-ANFSMB-2DE3 -KerberosEncryptionType AES256
Step 4
We’ll now prepare the Ubuntu machine. Login to the VM and switch to root.sudo -i
Step 5
Get the latest packages.apt-get update
Step 6
Set the hostname, replace linux01 with your hostname.hostnamectl set-hostname linux01
Step 7
Configure IP and DNS. First we will disable the default cloud-init networking config.echo "network: {config: disabled}" > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
Next we will create a new .yaml configuration file. nano /etc/netplan/01-netcfg.yaml
Insert the following configuration. Replace IPs and search domain.
network:
version: 2
renderer: networkd
ethernets:
eth0:
dhcp4: no
addresses: [12.0.0.5/24]
gateway4: 12.0.0.1
nameservers:
search: [anf.test]
addresses: [12.0.0.100,10.0.0.100]
Save and exit. We will now apply the new config.sudo netplan apply
N.B. Make sure a static IP is also configured on the Azure side.
Step 8
Install the NFS client.apt-get install -y nfs-common
Step 9
Install chrony to configure NTP.apt install -y chrony
Edit chrony.conf and point to your NTP servers.nano /etc/chrony/chrony.conf
In this example we pointed to our two Active Directory servers. Replace with your settings. Save and exit.
Restart chrony to load the new config.systemctl restart chrony
Confirm chrony is synced (look for the asterisk).chronyc sources
Step 10
Install the required packages for AD join and Kerberos.apt install -y sssd-ad sssd-tools realmd adcli packagekit krb5-user
The krb5-user package will prompt for the default Kerberos realm. Insert your realm in UPPERCASE (replace ANF.TEST).
The default realm is added to the /etc/krb5.conf file.
Step 11
Try to discover your realm through DNS. Replace anf.test.realm -v discover anf.test
We are now ready to join the machine to AD. Execute the following command, replace user with an existing AD user that has sufficient rights to create computer accounts.realm join -v -U user anf.test
Step 12
Reboot the machine.reboot now
Step 13
The default sssd config will not create a DNS entry for the newly joined machine. We will create it manually in AD DNS. Replace Name and IP address.
Step 14
We are now ready to mount the Kerberos volume. Log back in to the machine and create the mount folder.sudo mkdir nfs-krb5p
Execute the mount command from step 3.sudo mount -t nfs -o sec=krb5p,rw,hard,rsize=1048576,wsize=1048576,vers=4.1,tcp ANFSMB-2de3.anf.test:/nfs-krb5p nfs-krb5p
That’s that! You have successfully mounted your NFSv4.1 kerb5p volume.
Resources
https://docs.microsoft.com/azure/azure-netapp-files/configure-kerberos-encryption