Remote File System Volumes
The hardserver (Linux) or nFast Server (Windows) service restricts the paths that can be shared as RFS (Remote File System) volumes using the remote_file_system
section of the config
file or using the rserverperm --accessfiles
command-line configuration.
By default, the following paths are permitted:
-
/opt/nfast/kmdata
(Linux). -
%NFAST_KMDATA%
, typicallyC:\ProgramData\nCipher\Key Management Data
(Windows). -
Any path that was created by the
rfs-setup
utility and associated with RFS volumes to prepare an RFS for an nShield HSM or for use with therfs-sync
utility. -
Subdirectories of permitted paths.
If you want to add custom paths not included in this list as RFS volumes, you must add them to the list of permitted paths before starting the hardserver (Linux) or nFast Server (Windows) service. If you make these changes after starting the service, you need to restart it for the changes to take effect.
You can update the list of permitted paths by either setting the NFSERV_RFS_ALLOWED_PATHS environment variable (see Allow custom RFS paths with an environment variable) or by creating an additional config.secure
configuration file (see Allow custom RFS paths with a configuration file.)
Allow custom RFS paths with an environment variable
- Linux
-
-
If the
/etc/nfast.conf
file does not already exist, create it.This file must only be writable by root. This is enforced by nShield start-up scripts.
-
Add the
NFSERV_RFS_ALLOWED_PATHS
environment variable to thenfast.conf
file with a colon-separated list of paths (/<path>/share
).For example, to share
path1
andpath 2
(spaces are permitted):export NFSERV_RFS_ALLOWED_PATHS=/path1/share:/path 2/share
-
- Windows
-
Create the
NFSERV_RFS_ALLOWED_PATHS
environment variable in the global system environment variables with a semicolon-separated list of paths (\<path>\share
).For example, to share
path1
andpath 2
(spaces are permitted):C:\path1\share;D:\path 2\share
Allow custom RFS paths with a configuration file
-
Create the
config.secure
in/opt/nfast/hardserver.d
(Linux) or the%PROGRAMDATA%\nCipher\hardserver.d
directory, which is typicallyC:\ProgramData\nCipher\hardserver.d\config.secure
. -
Add the paths as values in an
rfs_allowed_paths
JSON array. The JSON must be valid.For example, to share
path1
andpath 2
(spaces are permitted):- Linux
-
{ "rfs_allowed_paths" : ["/path1/share", "/path 2/share"] }
- Windows
-
{ "rfs_allowed_paths" : ["C:\\path1\\share", "D:\\path 2\\share"] }
You must use a backslash ( \
) to escape the backslashes in the path.