The latest cloud infrastructure announcements, technical solutions, and enterprise cloud insights.

  • February 13, 2020

Ironclad Security Provided by Oracle Cloud Infrastructure File Storage

Mona Khabazan
Principal Product Manager

Oracle has built a Generation 2 Cloud specifically to meet the needs of demanding enterprise usage, where security of customer data is the first priority. In our continuous effort to ensure data security, we’re excited to announce that Oracle Cloud Infrastructure File Storage now provides a customer-selected option for in-transit encryption.  This feature is now available at no additional cost in all OCI regions.

In-transit encryption secures communication between cloud compute instances and mounted file systems by using Transport Layer Security (TLS) 1.2 encryption. Together with other methods of security—such as Oracle Cloud Infrastructure Key Management and the existing capability of the File Storage service for AES-256 data encryption at-rest for newly created file systems—File Storage provides end-to-end security of data to help customers meet stringent compliance and regulatory requirements.

Enable In-Transit Encryption

To enable in-transit encryption, you install a package, called oci-fss-utils, on each cloud compute instance that accesses the File Storage service. The oci-fss-utils package creates a network namespace and virtual network interface on your instance and provides a local NFS endpoint. The oci-fss-utils package also runs a forwarder process in the background, called oci-fss-fowarder.

The file system is mounted using a special command that initiates encryption. After the file system is mounted, the oci-fss-fowarder process connects the local NFS client to the NFS endpoint. The process then receives requests from the NFS client, encrypts them, and sends them to the mount target using a TLS tunnel.

Here are the general steps for setting up in-transit encryption:

  1. Download the oci-fss-utils package. For instructions, see Task 1 in the online documentation for in-transit encryption for the File Storage service.
  2. Install the oci-fss-utils package on the instance. For instructions, see Task 2.
  3. Use the in-transit encryption command to mount the file system. For instructions, see Task 3.

These steps ensure that in-transit encryption is configured correctly for all connections. Doing so ensures that data remains protected at all times while passing through the Oracle Cloud Infrastructure network and when at rest in the storage system.

Further Considerations

  • You can use a previously existing file system with in-transit encryption by creating an export for the file system in a new mount target.
  • You must install the oci-fss-utils package on every instance that requires encrypted access to a mount target.
  • Be sure to configure the right ports to allow the traffic to your mount target subnet. For instructions, see Configuring VCN Security Rules for File Storage.
  • The number of encrypted NFS and TLS connections for a single mount target is limited to 64. This limitation is caused by TLS memory requirements. Unlike NFS connections, TLS connections don’t share memory buffers. So, after a TLS connection has been established, the allocated memory stays dedicated to it.

With this new encryption feature, shared data in Oracle Cloud Infrastructure File Storage continues to be encrypted at-rest and now can be encrypted in-transit as well.

Learn More

To learn more about security in relation to Oracle Cloud Infrastructure File Storage, see the following resources:

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha