In 2018, I wrote an article on pushing NFSv4 through stunnel, resulting in NFS over TLS. Emails between NFS kernel developers indicate that this is <i>much</i> faster than Kerberos, and the RSA key setup that I published was adopted in RFC-9289 (which I assume also addresses the performance issue).<p><a href="https://www.linuxjournal.com/content/encrypting-nfsv4-stunnel-tls" rel="nofollow">https://www.linuxjournal.com/content/encrypting-nfsv4-stunne...</a><p>Edit: Some time after I published, one of the RFC authors outlined the NFS architectural changes in a blog post.<p><a href="https://blogs.oracle.com/linux/post/encrypting-nfs-data-on-the-wire" rel="nofollow">https://blogs.oracle.com/linux/post/encrypting-nfs-data-on-t...</a>
Original author here. I wrote this article because I have set up NFSv4 with Kerberos twice so far and, both times, I ended up with a functional system but… very frustrated by how difficult and fragile everything seems.<p>That said, I still have a bunch of unanswered questions (all listed at the bottom of the article) and I suspect that some of you folks might have some insightful answers or corrections… hence why I’m submitting the article myself. If you do have any of those insights, please share here or there. And thanks!