Configuring NFS Kerberos permitted encryption types
By default, ONTAP supports the following encryption types for NFS Kerberos: DES, 3DES, AES-128, and AES-256. You can configure the permitted encryption types for each SVM to suit the security requirements for your particular environment by using the vserver nfs modify command with the -permitted-enc-types parameter.
About this task
For greatest client compatibility, ONTAP supports both weak DES and strong AES encryption by default. This means, for example, that if you want to increase security and your environment supports it, you can use this procedure to disable DES and 3DES and require clients to use only AES encryption.
You should use the strongest encryption available. For ONTAP, that is AES-256. You should confirm with your KDC administrator that this encryption level is supported in your environment.
Enabling or disabling AES entirely (both AES-128 and AES-256) on SVMs is disruptive because it destroys the original DES principal/keytab file, thereby requiring that the Kerberos configuration be disabled on all LIFs for the SVM.
Before making this change, you should verify that NFS clients do not rely on AES encryption on the SVM.
Enabling or disabling DES or 3DES does not require any changes to the Kerberos configuration on LIFs.
If you want to enable or disable... | Follow these steps... |
---|---|
DES or 3DES |
|
AES-128 or AES-256 |
|