NFS encryption

The Delphix Continuous Data Engine facilitates data communication with VDB target environments and staging environments via NFS and iSCSI. The system provides the flexibility to encrypt this communication as needed.

Feature limitations

1. Supports only Linux-based host systems and Oracle clusters.

2. Windows systems and Windows clusters are not yet supported.

3. NFS encryption is not compatible with Oracle dNFS.

4. NFS encryption is not compatible with NFSv3.

Prerequisites

• The following operating systems are supported:

  • CentOS 7 and later

  • RHEL 7 and later

  • SUSE 12 and 15

• The designated network port for the specified feature in the Delphix Continuous Data Engine is 54046. The connection to this port is initiated from the host to the Delphix Continuous Data Engine, constituting an ingress connection from the perspective of the Delphix Continuous Data Engine. For more information on network connectivity requirements, refer to Network connectivity requirements.

Feature design

Encryption can be applied to secure data transfer between the Delphix Continuous Data Engine and the target VDB or staging source environment via NFS. This feature allows you the flexibility to enable or disable NFS communication encryption on a per-environment basis.

Stunnel is used for this purpose. Stunnel is a utility that provides TLS tunneling capabilities in user space. The implementation involves configuring two Stunnel services to establish a secure TLS connection: one acting as a server and the other as a client. The client is configured to listen on a local port, enabling secure tunneling of any connections made to that port to the remote peer Stunnel application running on the server.

Implementation

The NFS Encryption parameter can be activated for the specific environment either through the environment page or using the command-line interface (CLI). For more information about using the CLI, refer to the CLI guide.

Before activating encryption, it's essential to confirm that all datasets linked to the environment are in a disabled state.

Once environment encryption is enabled, you must enable all the relevant datasets. The encryption status of datasets can be viewed in its status tab. To disable or enable all the associated datasets, APIs are available at the environment level. For specific API details and changes, refer to API Changes in Delphix 17.0.0.0.

Stunnel for NFS encryption (deployment and configuration)

Stunnel is employed for NFS encryption, as illustrated in the image for feature design above. The Stunnel executable and required resources are deployed to the host via the toolkit. A new working directory is created on the host and Stunnel functions from that location. A randomly generated port is employed to configure Stunnel on the host. Upon disabling this feature, the Stunnel process is terminated, and the working directory is removed from the host.

In cases where a host is connected to more than one Delphix Continuous Data Engine with NFS encryption enabled, it is possible to observe multiple Stunnel working directories on the host.

In the case of the Oracle cluster, the stunnel toolkit is set up, and the stunnel process is initiated on all active nodes when enabling this feature. Upon disabling the feature, the stunnel process is terminated, and the stunnel toolkit is uninstalled from all active nodes in the cluster.

Furthermore, when creating or enabling a node with this feature turned on for the cluster, the stunnel toolkit is configured, and the stunnel process is initiated on that specific node. If the feature is later turned off or the node is removed, the stunnel process is stopped, and the stunnel toolkit is removed from that individual node.

Certificate usage for Stunnel communication

On the setup page, a new certificate for the stunnel-server has been seamlessly integrated and this integration is fully automated, eliminating the need for any user intervention. The process for replacing this certificate is similar to the process of replacing another certificate on the setup page. For more details, refer to Customer provided key pair configuration.

Upon enabling NFS encryption for an environment, the stunnel working directory is established. Essential files are then transferred from the common toolkit directory to this newly created directory. Additionally, a required certificate is generated with a 730-day expiration period in real-time and is subsequently transferred to the host. This process facilitates the establishment of stunnel communication.

When you refresh the environment with NFS encryption enabled, a new certificate is generated and uploaded to the host. This process effectively extends the expiry, ensuring continued secure communication.

Configuring ciphersuites

The default ciphersuite used for stunnel communication is TLS_CHACHA20_POLY1305_SHA256. If needed, you can change it to one of the following options: "TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_AES_128_CCM_8_SHA256", or "TLS_AES_128_CCM_SHA256" using the provided API.

When altering the ciphersuite used for NFS Encryption transport, any changes to the ciphersuite automatically trigger adjustments in the transport layer. This process eliminates the need for additional modifications or manual service restarts.

Diagnostic data

The environment monitoring system is implemented to assess the operational status of active stunnel connections andtrigger the necessary alerts and fault notifications in case of any identified issues. However, assuming all configurations are in order, it can also restart the stunnel process if it unexpectedly stops.

Additionally, for diagnostic purposes, it should be noted that the NFS encrypted mounts will be associated with the loopback IP address (127.0.0.1), while non-encrypted mounts will use the Delphix Continuous Data Engine's IP.

API Usage

The following APIs are integrated for broad applicability, proving particularly advantageous when setting up NFS encryption in an environment.