nbdkit finally supports TLS (encryption)

nbdkit is a liberally licensed NBD server which a stable plugin API for serving disks from unconventional sources.

Finally I got around to adding TLS (encryption and authentication) support. The support is complete and appears to interoperate with QEMU. It also supports a certificate authority, client certificate verification, certificate revocation, server verification (by the client), and configurable algorithms.

Actually using TLS with NBD is no easy matter. It takes a few pages of instructions just to explain how to set up the public-key infrastructure. On the client (QEMU) side, the command line parameter for connecting to a TLS-enabled NBD server is lengthy.

Then there’s the question of how you ensure TLS is being used. In nbdkit as in other NBD servers you can either turn on TLS in which case it’s used when the client requests it, or you can require TLS. In the latter case nbdkit will reject non-TLS connections (thus ensuring TLS is really being used), but most clients won’t be able to connect to such a server.

As usual, where SSH got it right, SSL/TLS/HTTPS got it all horribly wrong.

Advertisements

6 Comments

Filed under Uncategorized

6 responses to “nbdkit finally supports TLS (encryption)

  1. Laszlo Ersek

    “As usual, where SSH got it right, SSL/TLS/HTTPS got it all horribly wrong” — can you elaborate on this? I vaguely remember reading (several) articles about overly complex configuration and bad defaults, but a good summary would be appreciated. Thanks!

    • rich

      The problem is we shouldn’t be afraid of self-signed certificates and pinning which is what ssh does by default. The alternative is setting up a full public key infrastructure, which is both stupidly complex but requires that the CA bothers to verify your identity correctly, which for a £3.99/year certificate basically never happens.

  2. Laszlo Ersek

    Ah, by “self-signed certificates and pinning” you mean “~/.ssh/known_hosts”, right? (Possibly tweaked with the StrictHostKeyChecking config option.) Makes sense. Thanks!

  3. That’s cool. I’ve started to explore the nbd world just today.
    I have a kind of holy dream to store my data on a remote server through a LUKS container.
    So the answer to my first question “does nbd support authentication and encryption or am I required to use SSH” is “yes”.
    The second question: does nbdkit support trim/discard? How could I shrink the size of image if I delete some files in it?

  4. Thomas

    Hi,

    I once started to write an nbd server based on netty. It should be easy to add TLS there too:
    https://github.com/thomasmey/nnbd

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s