Configuring TLS Encryption with NFSv4.1

  • Updated on Jan 30, 2026
  • Published on Jan 28, 2026
  • 5 minute(s) read
Prev Next

TLS is an encryption method that you can choose to enable for NFS traffic on the cluster. If you want to ensure that NFS traffic to a particular view is only accessible via encryption, you can choose to enforce TLS encryption. Additionally, you can further restrict which minimum TLS version you require and which ciphers you allow.

For NFSv4, TLS provides an alternative to encrypting traffic with Kerberos. While Kerberos is supported only if Active Directory is used as an authorization provider, TLS encryption does not require an authorization provider.

TLS encryption for NFSv4 runs over the standard NFS4 TCP port 2049.

In order to enforce TLS encryption on NFS connections, you need to install a TLS certificate on the client and on the cluster, through VMS, and set the relevant view policy to enforce TLS encryption for NFS. In order to connect to views that use such a view policy, the client must have a certificate installed that trusts the cluster's certificate.

From VAST Cluster 5.3.2, the cluster supports encryption of in-transit Remote Procedure Call (RPC) transactions for NFSv3 and NFSv4 clients where the clients establish RPC-over-TLS sessions against the VAST NFS server. Alternatively and in earlier 5.3 releases, clients can open a TLS tunnel to the cluster's NFS server before mounting the view.

Limitations

  • This feature is not supported for NFSv.4.1 over RDMA.

  • When mounting NFSv4.1 with nconnect, client kernel version 5.3 or higher is required.

How to Configure TLS Encryption over NFS

Obtain or Generate TLS Certificate and Key

Obtain an SSL certificate from a Certificate Authority (CA). The CA will provide you with two files: a certificate file and a key file. Choose an X.509 output file format containing ASCII (Base64) encoded data.

Configure the Client to Connect with TLS Encryption

You can configure the client to connect with TLS encryption either of the following ways:

Using RPC over TLS

Notice

This feature is introduced in VAST Cluster 5.3.2 and requires enablement. Please contact VAST Support for assistance enabling this feature.

On each client machine that needs to be able to connect via NFS to a view on the cluster:

  • Ensure that the client machine trusts the cluster's TLS certificate (an appropriate certificate is installed).

  • Ensure that the tlshd service is installed and running on the machine.

  • Use the xprtsec=tls NFS mount option to ensure that the client establishes an RPC-over-TLS session against the cluster's NFS server.

Using a TLS Tunnel

On each client machine that needs to be able to connect via NFS4 to a view on the cluster:

  1. Install the TLS certificate on the client machine.

  2. Install stunnel:

    yum install stunnel

  3. Create a configuration file for stunnel at /etc/stunnel/stunnel.conf.

    For documentation of stunnel options, see https://www.stunnel.org/static/stunnel.html.

    The content should include the following:

    pid = /var/run/stunnel/stunnel.pid
cert = ${CERT_FOLDER}/stunnel.pem
socket = r:TCP_NODELAY=1

[nfs4]
client=yes
accept=<local host IP>:<port number between 49152 and 65565>
connect=<VIP>:2049
ciphers = <cipher list>
sslVersion =TLSv1.3

    The following options are included:

    • pid. The file location in which to create the stunnel pid file, in which stunnel saves its process ID.

    • cert. The path to the TLS certificate.

    • socket. Sets an option on the remote socket disable to improve network latency.

    • client. Specifies client mode.

    • accept. The port to listen on. (optional)

    • connect. The port to connect to, the standard NFS4.1 TCP port 2049, on one of the VIPs in a VIP pool on the cluster, with the protocols role.  

    • ciphers. Specifies a list of ciphers. You can enter ALL or a list in OpenSSL cipher list format (see https://www.openssl.org/docs/man1.0.2/man1/ciphers.html).

      VAST supports the openSSL ciphers library ciphers. To display the full list of openSSL ciphers, run openssl ciphers -v "AES:\!AECDH" on a Linux host.

    • sslVersion. Specifies the supported version of TLS (TLSv1.3 in the example).

  4. Run an stunnel process to open a TLS tunnel the cluster's NFSv4 server, before mounting the view.

    For example, to manually start stunnel: 

    sudo stunnel /etc/stunnel/stunnel.conf

  5. Mount the view as follows: 

    sudo mount -t nfs -o port=<port_number>,vers=nfs4.1 <localhost IP>:/<view_name> <directory_to_mount_to>

    In which:

    • <port_number> is the port number specified by the accept option in the stunnel configuration file.  stunnel listens on this port and redirects incoming packets to the VIP specified in the stunnel configuration file.

    • <view_name> is the name of the view on the cluster that you want to mount.

    • <localhost IP> is the IP of the local client host.

    • <directory_to_mount_to> is the directory on the client host to which you want to mount the view.

Configuring TLS Encryption of NFS on VAST Cluster

To configure TLS encryption for NFS client connections, do the following:

  • Per your security requirements, restrict TLS version support and also further restrict the server-side supported cipher list. This affects all TLS connections to the cluster.

  • Where relevant, if you want to block non-TLS client connection access to any views, make sure the view policy of each such view is set to enforce usage of TLS encryption by the client. To do this, in the relevant view policy, enable the Enforce TLS to encrypt traffic setting.

  • Starting with VAST Cluster 5.3.2, you can additionally and optionally choose the Relaxed TLS enforcement option. This setting modifies the enforcement to allow non-TLS connections on auxiliary NFSv3 subprotocols such as MOUNT, NLM, NSM and RQUOTA.

  • Upload the TLS certificate and key to VMS.

Managing TLS Certificates for NFSv4.1

Installing a TLS Certificate for NFS

VAST Web UI

  1. From the left navigation menu, select Settings and then Certificates.

  2. From the Certificate for dropdown, select NFS.

  3. Enter the certificate file contents in the Certificate field and the key file content into the Key field.

    When pasting the certificate file content, include the BEGIN CERTIFICATE and END CERTIFICATE lines, like this:

    -----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

    When pasting the private key file content, include the BEGIN PRIVATE KEY and END PRIVATE KEY lines, like this:

    -----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

  4. Click Update.

    Your certificate is installed.

Removing a TLS Certificate for NFS

VAST Web UI

  1. From the left navigation menu, select Settings and then Certificates.

  2. From the Certificate for dropdown, select NFS.

  3. Click Remove.

    The certificate is removed.

Related articles