Oracle Linux developer Chuck Lever has been collaborating on an internet draft standard to bring transparent, end-to-end encryption for NFS (actually, all RPC-based protocols) in this new internet draft.
As more Linux workloads traverse shared network infrastructure, we have seen an uptick in requests for encryption for network traffic. While there are many ways to do point-to-point traffic encryption, leading members of the Linux NFS community have proposed a different, and simpler, strategy for achieving over-the-wire encryption of NFS traffic.
Linux NFS maintainer Trond Myklebust and Oracle Linux developer Chuck Lever propose NFS-over-TLS, a transparent, easy to configure end-to-end encryption standard for RPC-based protocols like NFS. This solution relies on self-signed certificates to set up standard encryption for nfs over-the-wire traffic without the heavy overhead of Kerberos or Active Directory.
There are many ways to encrypt NFS traffic over the wire, including IPSEC and Kerberos, but in their current incarnations, each have significant drawbacks that keep most users from using them. Much like HTTPS, this proposal to enable RPC-over-TLS makes encryption the "easy" option, opting for self-signed certificates.
Although this standard is put forward as the simplest, easiest-to-use solution, this solution also provides unique benefits in cases where the alternative encryption solutions may not have good answers -- for example, with per-flow encryption as opposed to per-connection (ipsec) encryption, or if the customer's user authentication domain is separate from the host's identity management (as is often the case in cloud environments!)
There are plenty of deployment cases where the client and server trust each other already, and all that is needed is protection of the NFS traffic as it flows over an untrusted network. Most NFS works this way already: a tenant trusts the IP addresses provided by the DNS service, but does not trust the other tenants not to spy on the traffic.
This solution takes a hint from the https solution for encrypting web traffic: focusing on the encryption separately from authorization/authentication. While this solution would not be as full-featured as the user authentication solutions, this is a solution which would be useable with minimal configuration required by an administrator. And this standard would be rolled out with that in mind: defaulting to a "use-if-available" model, meaning that if both ends support it and there is sufficient certificate trust available, NFS traffic would be encrypted. Someday this could mean that all NFS traffic would be transparently encrypted as this capability rolls out to NFS clients and servers.
This is still a draft standard, so don't expect this on your Oracle Linux servers very soon, but it's already starting to get talked about in the industry press