PowerStore supports NFSv3 through NFSv4.1. Secure NFS uses Kerberos to secure data transmissions through user authentication and data signing through encryption. Kerberos provides integrity (signing) and privacy (encryption). Integrity and privacy are not required to be enabled: they are NFS mount options.

Without Kerberos, the server relies entirely on the client to authenticate users: the server trusts the client. With Kerberos, this is not the case. The server trusts the Key Distribution Center (KDC). It is the KDC that handles the authentication and manages accounts (principals) and passwords. Moreover, no password in any form is sent over the wire.

Without Kerberos, the credential of the user is sent on the wire unencrypted and thus can easily be recorded and spoofed. With Kerberos, the identity (principal) of the user is in the encrypted Kerberos ticket, which can only be read by the target server and KDC. They are the only ones to know the encryption key.

With NFS secure, encryption is supported using the Advanced Encryption Standard (AES). Both AES128 and AES256 encryption in Kerberos is supported. Along with secure NFS, this also impacts Server Message Block (SMB) and LDAP. These encryptions are now supported by default by Windows and Linux. Although these new encryption methods are more secure, it is up to the client whether they are used. From that User Principal Name (UPN), the server builds the credential of that user by querying the active UNIX Directory Service (UDS). Since Networked Information Service (NIS) is not secure, it is not recommended to use it with secure NFS. We recommend using Kerberos with LDAP or LDAP over SSL (LDAPS).

Secure NFS can be configured through PowerStore Manager. For more information, see the Dell PowerStore: File Capabilities white paper.