Encryption of Data in Transit - Encrypt Data at Rest with Amazon EFS Encrypted File Systems

Encryption of Data in Transit

You can mount a file system so all NFS traffic is encrypted in transit using Transport Layer Security 1.2 (TLS, formerly called Secure Sockets Layer [SSL]) with an industry-standard AES-256 cipher. TLS is a set of industry-standard cryptographic protocols used for encrypting information that is exchanged over the wire. AES-256 is a 256-bit encryption cipher used for data transmission in TLS. If your organization is subject to corporate or regulatory policies that require encryption of data and metadata in transit, we recommend setting up encryption in transit on every client accessing the file system.

Setting up Encryption of Data in Transit

The recommended method to setup encryption of data in transit is to download the EFS mount helper on each client. The EFS mount helper is an open-source utility that AWS provides to simplify using EFS, including setting up encryption of data in transit. The mount helper uses the EFS recommended mount options by default.

  1. Install the EFS mount helper:

    • Amazon Linux: sudo yum install -y amazon-efs-utils

    • Other Linux distributions: download from GitHub (https://github.com/aws/efs-utils) and install.

    • Supported Linux distributions:

      • Amazon Linux 2017.09+

      • Amazon Linux 2+

      • Red Hat Enterprise Linux / CentOS 7+

      • Ubuntu 16.04+

    • The amazon-efs-utils package automatically installs the following dependencies:

      • NFS client (nfs-utils)

      • Network relay (stunnel)

      • Python

  2. Mount the file system:

    sudo mount -t efs -o tls file-system-id efs-mount-point
    • mount -t efs invokes the EFS mount helper.

    • Using the DNS name of the file system or the IP address of a mount target is not supported when mounting using the EFS mount helper, use the file system id instead.

    • The EFS mount helper uses the AWS recommended mount options by default. Overriding these default mount options is not recommended but we provide the flexibility to do so when the occasion arises. We recommend thoroughly testing any mount option overrides so you understand how these changes impact file system access and performance.

    • Following are the default mount options used by the EFS mount helper.

      • nfsvers=4.1

      • rsize=1048576

      • wsize=1048576

      • hard

      • timeo=600

      • retrans=2

  3. Use the file fstab to automatically remount your file system after any system restart. Add the following line to /etc/fstab:

    file-system-id efs-mount-point efs _netdev.tls 0 0

Using Encryption of Data in Transit

If your organization is subject to corporate or regulatory policies that require encryption of data in transit, we recommend using encryption of data in transit on every client accessing the file system. Encryption and decryption is configured at the connection level and adds another layer of security. Mounting the file system using the EFS mount helper sets up and maintains a TLS 1.2 tunnel between the client and the Amazon EFS service, and routes all NFS traffic over this encrypted tunnel. The certificate used to establish the encrypted TLS connection is signed by the Amazon Certificate Authority (CA) and trusted by most modern Linux distributions. The EFS mount helper also spawns a watchdog process to monitor all secure tunnels to each file system and ensures they are running. After using the EFS mount helper to establish encrypted connections to Amazon EFS, no other user input or configuration is required. Encryption is transparent to user connections and applications accessing the file system.

After successfully mounting and establishing an encrypted connection to an EFS file system using the EFS mount helper, the output of a mount command shows the file system is mounted and an encrypted tunnel has been established using the localhost (127.0.0.1) as the network relay. See sample output below.

127.0.0.1:/ on efs-mount-point type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=20059,timeo=600,retrans=2,sec=sys,clientaddr=127.0.0.1,local_lock=none,addr=127.0.0.1)

To map an efs-mount-point to an EFS file system, query the mount.log file in /var/log/amazon/efs and find the last successful mount operation. This can be done using a simple grep command like the one below.

grep -E "Successfully mounted.*efs-mount-point" /var/log/amazon/efs/mount.log | tail -1

The output of this grep command will return the DNS name of the mounted EFS file system. See sample output below.

2018-03-15 07:03:42,363 - INFO - Successfully mounted file-system-id.efs.region.amazonaws.com at efs-mount-point