+++ /dev/null
-# How to Set Up TLS for NVMe-TCP
-
-Enabling TLS for the NVMe-TCP transport requires a few configuration
-steps for both the kernel and userland.
-
-## Kernel Configuration
-
-To support TCP authentication and TLS encryption, enable the following
-kernel options:
-
-- For DHCHAP authentication:
- `CONFIG_NVME_HOST_AUTH`
-
-- For TLS transport encryption:
- `CONFIG_NVME_TCP_TLS`
-
-These configuration option depend on another config option but these
-will be auto selected.
-
-## Userland
-
-For the userland configuration two components need to be configured.
-First, the tlshd TLS handshake daemon needs to be running and TLS keys
-need to be loaded into the kernel keystore.
-
-### Setting Up `tlshd`
-
-For TLS protocol support, which handles authentication and encryption,
-the kernel handles data encryption only, so userland support is required
-for the TLS handshake. The `tlshd` daemon implements the handshake
-process.
-
-#### Requirements
-
-Ensure `tlshd` includes the commit `311d9438b984` ("tlshd: always link
-.nvme default keyring into the session") - likely in `ktls-utils` version
-0.12. Alternatively, you can set the keyring manually in
-`/etc/tlshd.conf`:
-
-```ini
-[authenticate]
-keyrings = .nvme
-```
-
-#### Enable/start tlshd
-
-No additional configuration is necessary for `tlshd`; simply start it as
-a daemon:
-
-```bash
-systemctl enable --now tlshd
-```
-
-### Loading Keys on Boot or Module Load
-
-When the kernel is establishing a TCP connection with TLS, the NVMe
-subsystem loads keys from the kernel keystore. This means these keys
-must be available in the keystore before establishing a connection.
-
-nvme-cli provides command line interfaces to create, import and export
-keys into the kernel keystore. Though it's not the only way to
-import/export keys. If there is another system component managing the
-keys, the following steps for creating and making the keys persistent
-over boot cycles are not necessary.
-
-To stress this point, the nvme-cli is explicitly trying to avoid handling
-the keys, the only requirement is that the keys are present in the
-keystore.
-
-#### Creating a New Key
-
-```bash
-nvme gen-tls-key \
- --hostnqn nqn.2014-08.org.nvmexpress:uuid:befdec4c-2234-11b2-a85c-ca77c773af36 \
- --subsysnqn nqn.io-1 --hmac 1 --identity 1 --insert --keyfile /etc/nvme/tls-keys
-```
-
-This command creates a new host key, inserts it into the kernel keyring,
-and appends the derived TLS PSK to the keyfile (`/etc/nvme/tls-keys`).
-
-### Inserting an Existing Key
-
-```bash
-nvme check-tls-key \
- --hostnqn nqn.2014-08.org.nvmexpress:uuid:befdec4c-2234-11b2-a85c-ca77c773af36 \
- --subsysnqn nqn.io-1 --identity 1 \
- --keydata NVMeTLSkey-1:01:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACtVQoZ: \
- --insert --keyfile /etc/nvme/tls-keys
-```
-
-This command inserts the configured key (`--keydata`) into the kernel
-keyring and appends the derived TLS PSK to the keyfile.
-
-### Loading Keys on Boot or Module Load
-
-The kernel keyring does not persist keys, so userland must import keys
-into the keyring upon each boot or module load (for NVMe-TCP). The
-nvme-tcp module provides the `psk` type keystore, thus only when the
-nvme-tcp module is available it possible to load keys into the keystore:
-
-```bash
-nvme tls --import --keyfile /etc/nvme/tls-keys
-```
-
-The `70-nvmf-keys.rules` udev rule
-([source](https://github.com/linux-nvme/nvme-cli/blob/master/nvmf-autoconnect/udev-rules/70-nvmf-keys.rules.in))
-will load keys from `/etc/nvme/tls-keys` automatically.
-
-```udev
-ACTION=="add", SUBSYSTEM=="module", KERNEL=="nvme_tcp", TEST=="@SYSCONFDIR@/tls-keys", RUN+="@SBINDIR@/nvme tls --import --keyfile @SYSCONFDIR@/tls-keys"
-```
-
-### Recommendation for Handling TLS Keys
-
-The `nvme connect` command also allows passing a TLS key directly via the
-command line or a JSON config file. Avoid this method in production
-environments, as it may expose keys.
-
-### Establishing a Connection
-
-Once the keys are in the keystore, add the `--tls` option to establish a
-secure connection:
-
-```bash
-nvme connect --transport tcp --traddr 192.168.154.148 --trsvcid 4420 \
- --hostnqn nqn.2014-08.org.nvmexpress:uuid:befdec4c-2234-11b2-a85c-ca77c773af36 \
- --hostid befdec4c-2234-11b2-a85c-ca77c773af36 \
- --nqn nqn.io-1 --tls --dump-config --output-format json
-```
-
-The resulting JSON output can be saved to simplify future connections:
-
-```json
-[
- {
- "hostnqn": "nqn.2014-08.org.nvmexpress:uuid:befdec4c-2234-11b2-a85c-ca77c773af36",
- "hostid": "befdec4c-2234-11b2-a85c-ca77c773af36",
- "subsystems": [
- {
- "nqn": "nqn.io-1",
- "ports": [
- {
- "transport": "tcp",
- "traddr": "192.168.154.148",
- "trsvcid": "4420",
- "dhchap_key": "none",
- "tls": true
- }
- ]
- }
- ]
- }
-]
-```
-
-Using this JSON file, you can connect with:
-
-```bash
-nvme connect --config config.json
-```
-
-## Setting Up the Target
-
-The same steps for creating keys and importing/exporting keys to/from the
-kernel are necessary for the target as they are for the host (see above).
-
-For the above example, you can use the `nvmetcli` config:
-
-```json
-{
- "hosts": [
- {
- "nqn": "nqn.2014-08.org.nvmexpress:uuid:befdec4c-2234-11b2-a85c-ca77c773af36"
- }
- ],
- "ports": [
- {
- "addr": {
- "adrfam": "ipv4",
- "traddr": "0.0.0.0",
- "treq": "not specified",
- "trsvcid": "4420",
- "trtype": "tcp",
- "tsas": "tls1.3"
- },
- "ana_groups": [
- {
- "ana": {
- "state": "optimized"
- },
- "grpid": 1
- }
- ],
- "param": {
- "inline_data_size": "16384",
- "pi_enable": "0"
- },
- "portid": 0,
- "referrals": [],
- "subsystems": [
- "nqn.io-1"
- ]
- }
- ],
- "subsystems": [
- {
- "allowed_hosts": [
- "nqn.2014-08.org.nvmexpress:uuid:befdec4c-2234-11b2-a85c-ca77c773af36"
- ],
- "attr": {
- "allow_any_host": "0",
- "cntlid_max": "65519",
- "cntlid_min": "1",
- "firmware": "6.8.0-rc",
- "ieee_oui": "0x000000",
- "model": "Linux",
- "pi_enable": "0",
- "qid_max": "128",
- "serial": "0c74361069d9db6c65ef",
- "version": "1.3"
- },
- "namespaces": [
- {
- "ana": {
- "grpid": "1"
- },
- "ana_grpid": 1,
- "device": {
- "nguid": "00000000-0000-0000-0000-000000000000",
- "path": "/dev/vdb",
- "uuid": "91fdba0d-f87b-4c25-b80f-db7be1418b9e"
- },
- "enable": 1,
- "nsid": 1
- }
- ],
- "nqn": "nqn.io-1"
- }
- ]
-}
-```
-
-## Debugging tips
-
-- Increase the debug log output in tlshd:
-```ini
-[debug]
-loglevel=9
-```
-
-- To verify if any key is present you can look at the `/proc/keys` output:
-```bash
-cat /proc/keys | grep -i nvme
-```
-
-- The keys description is the key identifier and is defined in the TCP
-transport specification (see the 'TLS PSK and PSK Identity Derivation'
-section). The format is `NVMe<version>R<hmac> <hostnqn> <subsynqn> <PSK digest>`
-
-- The exported keys in the /etc/nvme/tls-keys file are one per line and
-the lines are formatted as `<identity> <PSK in interchange format>`. The
-`<PSK>` is the derive TLS PSK and not the retained nor the configured PSK.
-
-- If several keys available in the keystore which match up to the `<PSK digest>`
-the first match will be used. If this is the wrong key, it can be revoked by
-```bash
-nvme tls --revoke <identity>
-```
-
-- It's possible to provide a TLS key directly via the `nvme connect --tls
---tls-key` command. If only the key is provided, nvme-cli assumes it is a
-configured PSK and thus does all the key transformation and creates the
-identity automatically. If the `--tls-key-identity` is also present
-nvme-cli assumes it is a derived TLS PSK and does not attempt
-transformation on it and inserts the key directly into the keystore.
-
-- When the `nvme connect --tls-key` command is used, the `-vv` options
-will show the connect arguments passed to the kernel, including the key
-id numbers. These are in hex format and match with the output from
-`/proc/keys`.
projects / users / sagi / nvme-cli.git / commitdiff