Red Hat Summit12.4. Configuring an NVMe/TCP host using TLS with Pre-Shared-Keys
You can configure a Non-volatile Memory Express™ (NVMe™) over TCP (NVMe™/TCP) host while enabling TLS encryption. The NVMe/TLS configuration uses a TLS Pre-Shared Key (PSK).
The NVM Express TCP Transport Specification specifies a PSK Interchange Format for exchanging PSK information between systems. You can use nvme-cli or other methods to generate PSKs in this format (for example, create it on a storage target, see your vendor documentation). These configured PSKs are then used by nvme-cli to derive retained PSKs, which are inserted into a kernel keyring for use.
NVMe/TCP using TLS is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
Prerequisites
-
The
nvme_tcpkernel module is installed on your system. The following packages are installed on your system:
-
nvme-cli -
ktls-utils
-
- You have the Subsystem NVMe Qualified Name (Subsystem NQN).
- You have root permissions on the system.
Procedure
Configure Pre-Shared-Key Keyring.
Identify Host NQN:
# HOSTNQN=$(nvme show-hostnqn)Generate and copy a newly configured PSK:
# PSK=$(nvme gen-tls-key)# echo $PSKConfigure Pre-Shared-Key Keyring:
# nvme check-tls-key --insert --hostnqn=${HOSTNQN} --subsysnqn=${SUBSYSTEM} --keydata=${PSK} --identity=1
Configure the
tlshdservice.Add the keyring name to the
/etc/tlshd.confconfiguration file:... [authenticate] keyring=.nvme ...Restart the
tlshdservice:# systemctl restart tlshd
Enable TLS for NVMe fabrics connections:
# nvme discover -t tcp --tls -a ${TRADDR} -s 4420# nvme connect -t tcp --tls -a ${TRADDR} -s 4420 -n ${SUBSYSTEM}
Verification
List the NVMe devices that are currently connected:
# nvme list Node Generic SN Model Namespace Usage Format FW Rev --------------------- --------------------- -------------------- ---------------------------------------- ---------- -------------------------- ---------------- -------- /dev/nvme4n1 /dev/ng4n1 81JJAJTOpnmUAAAAAAAB NetApp ONTAP Controller 0x1 16.17 GB / 161.06 GB 4 KiB + 0 B 9.16.1
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}