Data / Storage Security

How to setup NFSv4.1 client encryption on ANF

Azure NetApp Files introduced support for client side NFSv4.1 encryption based on Kerberos with the June release. Please note that ANF always encrypts data at rest using the FIPS 140-2 standard. This blog applies specifically to encrypting data traffic between the NFS client and the ANF volume, the in flight data.

ANF supports NFS encryption in Kerberos modes krb5, krb5i, and krb5p using AES-256 encryption.

  • krb5 provides user authentication only
  • krb5i provides authentication and integrity checksums (to verify data has not been altered)
  • krb5p provides authentication, integrity checksums and data payload encryption

Let’s have a look at creating a krb5p volume and how to mount it to a vanilla Ubuntu 18.04 LTS virtual machine. Grab a cup (or pot) of coffee, this is going to be a long one!

Requirements
The Microsoft Docs on Kerberos encryption lists the following requirements.

  • Active Directory Domain Services (AD DS) connection to facilitate Kerberos ticketing (KDC server)
  • DNS A/PTR record creation for both the client and Azure NetApp Files NFS server IP addresses
  • NTP server

Step 1
First we need to configure the Kerberos Realm information for the ANF Active Directory connection. Login to the Azure portal, select Azure NetApp Files –> your account –> Active Directory connections blade. From here either create a new AD connection or edit the existing one.

Enter the AD Server Name and KDC IP (this can be the same server) under the Kerberos Realm section. Additional KDC servers will be discovered through DNS.

ANF Kerberos Realm

Step 2
Navigate to the Volumes blade –> Add Volume. Fill in all settings in the Basics tab, select the Protocol tab and select the following options:

  • Protocol type: NFS
  • Versions: NFSv4.1
  • Kerberos: Enabled
  • Export policy: Read & Write –> Kerberos 5p
ANF Protocol

Click Review and create –> Create.

Step 3
Navigate to the newly created volume and select the Mount instructions. Note items 3 and 4.

ANF mount instructions

When utilizing Kerberos, ANF creates an additional computer account with the prefix NFS, followed by the custom prefix and a random identifier –> NFS-ANFSMB-2DE3 in this example. We need to set the default encryption type to AES 256 for this computer account. This only needs to be done one time per computer account.

The Set-ADComputer cmdlet is a part of the Active Directory PowerShell module. You can run the cmdlet directly on the Domain Controller or on a machine that has RSAT installed. Copy the Set-ADComputer command and execute it in an elevated PowerShell window. Make sure to replace NFS-ANFSMB-55DF with your computer account.

Set-ADComputer NFS-ANFSMB-2DE3 -KerberosEncryptionType AES256

Set-ADComputer

Step 4
We’ll now prepare the Ubuntu machine. Login to the VM and switch to root.
sudo -i

Step 5
Get the latest packages.
apt-get update

Step 6
Set the hostname, replace linux01 with your hostname.
hostnamectl set-hostname linux01

Step 7
Configure IP and DNS. First we will disable the default cloud-init networking config.
echo "network: {config: disabled}" > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg

Next we will create a new .yaml configuration file.
nano /etc/netplan/01-netcfg.yaml

Insert the following configuration. Replace IPs and search domain.

network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      dhcp4: no
      addresses: [12.0.0.5/24]
      gateway4: 12.0.0.1
      nameservers:
       search: [anf.test]
       addresses: [12.0.0.100,10.0.0.100]

Save and exit. We will now apply the new config.
sudo netplan apply

N.B. Make sure a static IP is also configured on the Azure side.

Step 8
Install the NFS client.
apt-get install -y nfs-common

Step 9
Install chrony to configure NTP.
apt install -y chrony

Edit chrony.conf and point to your NTP servers.
nano /etc/chrony/chrony.conf

chrony config

In this example we pointed to our two Active Directory servers. Replace with your settings. Save and exit.

Restart chrony to load the new config.
systemctl restart chrony

Confirm chrony is synced (look for the asterisk).
chronyc sources

chrony sync

Step 10
Install the required packages for AD join and Kerberos.
apt install -y sssd-ad sssd-tools realmd adcli packagekit krb5-user

The krb5-user package will prompt for the default Kerberos realm. Insert your realm in UPPERCASE (replace ANF.TEST).

Kerberos Realm

The default realm is added to the /etc/krb5.conf file.

Step 11
Try to discover your realm through DNS. Replace anf.test.
realm -v discover anf.test

realm discover

We are now ready to join the machine to AD. Execute the following command, replace user with an existing AD user that has sufficient rights to create computer accounts.
realm join -v -U user anf.test

realm join

Step 12
Reboot the machine.
reboot now

Step 13
The default sssd config will not create a DNS entry for the newly joined machine. We will create it manually in AD DNS. Replace Name and IP address.

ActIve Directory add DNS entry

Step 14
We are now ready to mount the Kerberos volume. Log back in to the machine and create the mount folder.
sudo mkdir nfs-krb5p

Execute the mount command from step 3.
sudo mount -t nfs -o sec=krb5p,rw,hard,rsize=1048576,wsize=1048576,vers=4.1,tcp ANFSMB-2de3.anf.test:/nfs-krb5p nfs-krb5p

That’s that! You have successfully mounted your NFSv4.1 kerb5p volume.


Resources
https://docs.microsoft.com/azure/azure-netapp-files/configure-kerberos-encryption

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: