Edit

Share via

Encryption in transit for NFS Azure file shares (preview)

This article explains how you can encrypt data in transit for NFS Azure file shares.

Important

Azure Files NFS v4.1 volumes enhance network security by enabling secure TLS connections, protecting data in transit from interception, including MITM attacks.

Using Stunnel, an open-source TLS wrapper, Azure Files encrypts the TCP stream between the NFS client and Azure Files with strong encryption using AES-GCM, without needing Kerberos. This ensures data confidentiality while eliminating the need for complex setups or external authentication systems like Active Directory.

The AZNFS utility package simplifies encrypted mounts by installing and setting up Stunnel on the client. Available on packages.microsoft.com, AZNFS creates a local secure endpoint that transparently forwards NFS client requests over an encrypted connection. The key architectural components include:

  • AZNFS Mount Helper: A client utility package that abstracts the complexity of establishing secure tunnels for NFSv4.1 traffic.

  • Stunnel Process: Per-storage-account client process that listens for NFS client traffic on a local port and forwards it securely over TLS to the Azure Files NFS server.

  • AZNFS watchdog: The AZNFS package runs a background job that ensures stunnel processes are running, automatically restarts terminated tunnels, and cleans up unused processes after all associated NFS mounts are unmounted.

Supported regions

All regions that support Azure Premium Files now support encryption in transit, with the exception of Korea Central and West Europe.

Register for preview

To enable encryption in transit for your NFS shares, you must register for the preview feature.

Register through the Azure portal by searching for "Encryption in transit for Azure NFS file shares" under Preview Features.

Diagram showing the Azure portal screen to test if EiT is applied.

For more information, see Set up preview features in Azure subscription.

Enforce encryption in transit

By enabling the Secure transfer required setting on the storage account, you can ensure that all the mounts to the NFS volumes in the storage account are encrypted.

Screenshot showing how to enable Secure transfer on a storage account.

However, for users who prefer to maintain flexibility between TLS and non-TLS connections on the same storage account, the Secure transfer setting must remain OFF.

How to encrypt data in transit for NFS shares (preview)

Follow these steps to encrypt data in transit:

  1. Ensure the required AZNFS mount helper package is installed on the client.
  2. Mount the NFS file share with TLS encryption.
  3. Verify that the encryption of data succeeded.

Step 1: Check AZNFS mount helper package installation

To check if the AZNFS mount helper package is installed on your client, run the following command:

systemctl is-active --quiet aznfswatchdog && echo -e "\nAZNFS mounthelper is installed! \n"

If the package is installed, you'll see the message AZNFS mounthelper is installed!. If it isn't installed, you'll need to use the appropriate command to install the AZNFS mount helper package on your client.

curl -sSL -O https://packages.microsoft.com/config/$(source /etc/os-release && echo "$ID/$VERSION_ID")/packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
rm packages-microsoft-prod.deb
sudo apt-get update
sudo apt-get install aznfs

Important

AZNFS supported Linux distributions are:

  • Ubuntu (18.04 LTS, 20.04 LTS, 22.04 LTS, 24.04 LTS)
  • Centos7, Centos8
  • RedHat7, RedHat8, RedHat9
  • Rocky8, Rocky9
  • SUSE (SLES 15)
  • Oracle Linux
  • Alma Linux

Step 2: Mount the NFS file share

To mount the NFS file share with TLS encryption:

  1. Create a directory on your client.
sudo mkdir -p /mount/<storage-account-name>/<share-name>
  1. Mount the NFS share by using the following cmdlet. Replace <storage-account-name> with the name of your storage account and replace <share-name> with the name of your file share.
sudo mount -t aznfs <storage-account-name>.file.core.windows.net:/<storage-account-name>/<share-name> /mount/<storage-account-name>/<share-name> -o vers=4,minorversion=1,sec=sys,nconnect=4

To mount the NFS share without TLS encryption:

sudo mount -t aznfs <storage-account-name>.file.core.windows.net:/<storage-account-name>/<share-name> /mount/<storage-account-name>/<share-name> -o vers=4,minorversion=1,sec=sys,nconnect=4,notls

To have the share mounted automatically on reboot, create an entry in the /etc/fstab file by adding the following line:

<storage-account-name>.file.core.windows.net:/<storage-account-name>/<container-name> /nfsdata aznfs defaults,sec=sys,vers=4.1,nolock,proto=tcp,nofail,_netdev   0 2

Note

Before running the mount command, ensure that the environment variable AZURE_ENDPOINT_OVERRIDE is set. This is required when mounting file shares in non-public Azure cloud regions or when using custom DNS configurations. For example, for Azure China Cloud: export AZURE_ENDPOINT_OVERRIDE="chinacloudapi.cn"

Step 3: Verify that the in-transit data encryption succeeded

Run the command df -Th.

Diagram showing the Powershell screen to test if EiT is applied.

It indicates that the client is connected through the local port 127.0.0.1, not an external network. The stunnel process listens on 127.0.0.1 (localhost) for incoming NFS traffic from the NFS client. Stunnel then intercepts this traffic and securely forwards it over TLS to the Azure Files NFS server on Azure.

To check if traffic to the NFS server is encrypted, use the tcpdump command to capture packets on port 2049.

sudo tcpdump -i any port 2049 -w nfs_traffic.pcap

When you open the capture in Wireshark, the payload will appear as "Application Data" instead of readable text.

Diagram showing the Wireshark screen to test if EiT is applied.

Note

All traffic from a virtual machine to the same server endpoint uses a single connection. The AZNFS mount helper ensures that you can't mix TLS and non-TLS configurations when mounting shares to that server. This rule applies to shares from the same storage account and different storage accounts that resolve to the same IP address.

Troubleshooting

A non-TLS (notls) mount operation might fail if a previous TLS-encrypted mount to the same server was terminated before completing successfully. Although the aznfswatchdog service automatically cleans up stale entries after a timeout, attempting a new non-TLS mount before cleanup completes can fail.

To resolve this issue, remount the share using the clean option, which immediately clears any stale entries:

sudo mount -t aznfs <storage-account-name>.file.core.windows.net:/<storage-account-name>/<share-name> /mount/<storage-account-name>/<share-name> -o vers=4,minorversion=1,sec=sys,nconnect=4,notls,clean

If mounting issues continue, check the log files for more troubleshooting details:

  • Mount Helper and Watchdog Logs: /opt/microsoft/aznfs/data/aznfs.log
  • Stunnel Logs: /etc/stunnel/microsoft/aznfs/nfsv4_fileShare/logs

See also