# ext4 encryption shared over NFS4

## Cr0t

I am trying to share an encrypted ext4 directory over nfs4. The directory is shared via (/etc/exports)

```
/home/VAULT             192.168.0.0/26(sync,no_root_squash,rw,no_subtree_check)
```

 After the server starts up, I add the ext4 key and locally everything looks great. I add the key as a local user and NOT as root.

```
/usr/sbin/e4crypt add_key -S $CRYPTOSALT $ENCRYPTFOLDER
```

At this point, I start nfs and the client mounts it like this 

```
datastorm:/home/VAULT   /mnt/LAN/VAULT  nfs4            rw,rsize=65536,wsize=65536,intr,noatime,retrans=15 0 0
```

The client has access to the directory structure and some of the file names are even how they are supposed to be, however, the majority of the file names are encrypted and none of the files are readable. When I try to `cat` a file, I get "Operation not permitted"

Any ideas?

----------

## krinn

your server is badly exporting as nfs4, nfs4 need a rootnfs (which is mark with fsid=0), and directories are attach to it ; because you have not create any, your /home/VAULT should be per default use as the rootnfs

and the way a client mount an nfs as 3 or 4 (because 4 is compatible) depends on how the client ask for the mount

to mount that as nfs3: datastorm:/home/VAULT   /mnt/LAN/VAULT nfs  nfsvers=3,vers=3

and as nfs4: datastorm:/   /mnt/LAN/VAULT nfs

keep in mind the nfsroot, because in nfs4 your exported /home/VAULT is taken as / ; for the client in nfs4 no /home/VAULT exists at all, a client referencing it as /home/VAULT is trying to point to the server structure /home/VAULT/home/VAULT

in nfs4, exported directories are all attach to that nfsroot structure, meaning if you want export a directory that is outside it, you must bind it to another one that is inside it.

if it help you get the idea, here's a real example

```
/export      192.168.0.0/24(rw,sec=sys,fsid=0,no_root_squash,no_subtree_check,nohide,async,anonuid=250,anongid=250)

/export/kernel   192.168.0.0/24(rw,no_subtree_check,async,nohide)

/export/distfiles   192.168.0.0/24(rw,no_subtree_check,async,no_root_squash,nohide,secure,anonuid=250,anongid=250)

```

note that kernel and distfiles are binds to be part of the nfsroot structure

to mount as nfs3 client do: server:/export/distfiles /somedir nfs rw,users,nfsvers=3,vers=3

to use it as nfs4 client do : server:/distfiles /somedir nfs rw,users

it depends on nfs4 implementations, but in real nfs4 doing this is invalid: server:/export/distfiles, as it mean you are looking for /export/export/distfiles directory, which does not exists.

I suppose first thing you should do is fixing that mess. Next to that maybe someone could help you with your encryption issue.

----------

## Cr0t

I added fsid to my home export and changed the mount option. 

```
/home           192.168.0.0/26(rw,sync,fsid=0,no_subtree_check)

/home/VAULT             192.168.0.0/26(sync,all_squash,no_subtree_check)
```

I did not expect this to help, but this is what a `find /mnt/LAN/VAULT -type f` reveals

```
...

find: ‘VAULT/AB/xJzsIfhxhIdtog7HGBc8FbuG6NA/OtK31r9117t033xw3S07WC/ZSfHwZnMeEYAxlN4c+hTMaMT8eI’: Permission denied

...

VAULT/AC/iFUYyPp1BbJXPxG+HT3YdBb0xfB/V0LN5s6bSmP2CQ0ObHyNuA/_WgR+93mXzNXNpqFowO,rlau4SO8IlDae

...

VAULT/AD/readme.txt

...
```

touching a file just hangs.

For testing purposes, I setup samba and sharing works as expected.

----------

## Yamakuzure

 *Cr0t wrote:*   

> I added fsid to my home export and changed the mount option. 

 And died you issue "exportfs -r -f" on your server after changing /etc/exports?

btw.: The option all_squash may not be what you want. It means that all access is changed to nobody:nogroup. Does nobody have access to your files and directories?

----------

## Cr0t

 *Yamakuzure wrote:*   

>  *Cr0t wrote:*   I added fsid to my home export and changed the mount option.  And died you issue "exportfs -r -f" on your server after changing /etc/exports?
> 
> btw.: The option all_squash may not be what you want. It means that all access is changed to nobody:nogroup. Does nobody have access to your files and directories?

 I restarted nfs and tried all different kind of combinations of nfs settings. All the files are encrypted.

----------

## salahx

I tried this for myself in a virtual machine as the OP did it. It doesn't work for me either.

BUT when I run e4crypt as root and add it to root seession, it works! (You're probably seeing a mix of stuff due to attribute caching. Pass the -o noac option on the client to turn it off) This sort of make sense: The NFS server needs access to the key in the keying, and although you might think it impersonates the owner of the file and search that user's keyring for the keys, it doesn't. It gets its keys from root. How exactly the NFS server (with is own session) gets the key from another session (even though they might be running as the same user) evades me however. I can't see how it works. Perhaps it SHOULDN'T work....

Note that given the purposes ext4 file encryption is used for, you probably shouldn't be exporting encrypted data anyways.

----------

