Mount Helper for secure file share connections

Mount Helper automates encryption in transit for File Storage for VPC. The utility configures IPsec tunnels for zonal shares and TLS connections for regional shares.

What is Mount Helper?

Mount Helper is an open source automation tool that configures and establishes secure communication between your compute resources (virtual server instances or bare metal servers) and File Storage for VPC. The utility handles the complexity of setting up encryption in transit, managing certificates, and establishing secure tunnels, so you can focus on using your file shares rather than configuring security infrastructure.

Mount Helper supports two different encryption methods depending on whether you're using zonal or regional file shares:

  • IPsec encapsulation for zonal file shares
  • Stunnel secure connections for regional file shares

In-transit encryption types

IPsec encapsulated connection for zonal shares

The utility uses strongSwan and swanctl to configure IPsec on the compute host that's running a Linux OS.

File Storage for VPC IPsec connection requires mutual authentication. The Mount Helper retrieves the instance or bare metal server identity token from the Metadata service. Then, it requests the creation of the instance or bare metal server identity certificate by using the identity token.

The Mount Helper makes new certificate requests every 45 minutes, as the lifetime of the certificate is 1 hour. The new certificate is generated before the old certificate expires to ensure seamless connection. The certificates are generated with the shorter life span for security reasons.

You can use the utility for encrypted or unencrypted connections. For encrypted connections, the Mount Helper uses the metadata service protocol option that is set to either http or https. For more information, see the API reference for metadata_service option of instance provisioning and bare metal server provisioning.

Stunnel secure connection for regional shares

The Mount Helper utility installs stunnel on the compute host that's running a Linux OS. Stunnel is an application that creates encrypted TLS tunnels between clients and servers for secure communication. In client mode, Stunnel initiates a connection from your virtual server instance of bare metal server to the file share, and tunnels data over a secure connection. Stunnel requires a PEM file, which typically contains a private key and a certificate. When stunnel operates in client mode, it relies on the system-wide SSL/TLS configuration and certificates. It can use the default PEM file provided by the Linux distribution rather than generating a custom certificate. The PEM file is often located in /etc/ssl/private or /etc/pki/tls/private folder.

Requirements

Before you can use Mount Helper, ensure that your environment meets the following requirements:

Do not add the Mount Helper installer script to your cloud-init configuration. The utility requires a running and stable VSI to operate, as the script makes Metadata API requests for host identity verification.

Restrictions and limitations

Be aware of the following restrictions when using Mount Helper:

  • For IPsec encapsulation, the same certificates cannot be used across multiple regions.

  • The Mount Helper is supported on Linux hosts only. See the following table for the supported distributions:

    Supported host OS distributions
    Supported OS Supported OS Supported OS
    RHEL_8 [8.4, 8.6, 8.8, 8.10] RHEL_9 [9.0, 9.2, 9.4] RHCOS 4.1 and newer
    UBUNTU_2204 UBUNTU_2404 SAP_SLES_15_SP3_HANA
    CENTOS_STREAM_9 CENTOS_STREAM_10 SAP_SLES_15_SP4_HANA
    DEBIAN_11 DEBIAN_12 SAP_SLES_15_SP3_APPLICATIONS
    ROCKYLINUX_8 [8.9, 8.10] ROCKYLINUX_9 [9.4, 9.5] SAP_SLES_15_SP4_APPLICATIONS

Next steps