General-purpose NFS file systems in File Storage NAS (NAS) support encryption in transit. This feature uses Transport Layer Security (TLS) to protect data transmitted between your Elastic Compute Service (ECS) instance and NAS file system against interception or tampering.
Important: The TLS certificate used by the NAS client must be renewed before expiration. NAS sends notification emails one month in advance. If you do not update the aliyun-alinas-utils tool in time, mounted file systems will stop responding after the certificate expires.Quick start
For experienced users, here's the fastest path to enable encryption in transit:
Install:
sudo yum install aliyun-alinas-utils-*.rpmMount:
sudo mount -t alinas -o tls,vers=3 <mount-target>:/ /mntVerify:
ps aux | grep stunnel
For detailed instructions, continue reading.
Prerequisites
Before you begin, ensure the following:
The ECS instance and NAS file system are in the same region.
The ECS instance and NAS mount target are in the same VPC. If they are in different VPCs, create a new mount target in your ECS instance's VPC. See Create a file system.
A General-purpose NFS file system is created. For more information, see Create a file system.
Note: If your NFS file system is already mounted, you must unmount it first, then remount with encryption enabled. See Unmount a file system in the NAS console.
Your ECS instance has internet access or an associated elastic IP address (EIP). See Network bandwidth.
Performance considerations
Enabling encryption in transit affects performance:
Metric | Impact |
Latency | ~10% higher |
IOPS | ~10% lower |
The NAS client uses the stunnel process for TLS encryption. For high-throughput workloads, each mount operation may consume up to one CPU core for encryption/decryption.
Supported configurations
Operating systems
Operating system | Supported versions |
Alibaba Cloud Linux | 2.1903 64-bit, 3.2104 LTS 64-bit |
Red Hat Enterprise Linux | 7.x 64-bit, 8.x 64-bit |
CentOS | 7.x 64-bit, 8.x 64-bit |
Ubuntu | 16.04, 18.04, 20.04 (64-bit) |
Debian | 9.x, 10.x (64-bit) |
How it works
The NAS client defines a network file system type called alinas, which is compatible with the standard mount command. When you specify the tls parameter:
The NAS client starts a
stunnelprocess.stunnelestablishes an encrypted TLS connection to the NAS server.A watchdog process (
aliyun-alinas-mount-watchdog) monitorsstunneland automatically restarts it if terminated.
The stunnel process listens on local port 12049 (configurable). Before mounting, verify this port is available:
ss -ant | grep -w 12049If no output appears, the port is available.
Step 1: Install the NAS client
Alibaba Cloud Linux/CentOS/Red Hat
# Download the NAS client
wget https://aliyun-encryption.oss-cn-beijing.aliyuncs.com/aliyun-alinas-utils-1.3-0.20241223174338.6bfadb.al7.noarch.rpm
# Install
sudo yum install aliyun-alinas-utils-*.rpm
# Verify installation
which mount.alinasIf the output shows /sbin/mount.alinas, the installation was successful.
Ubuntu/Debian
# Download the NAS client
wget https://aliyun-encryption.oss-cn-beijing.aliyuncs.com/aliyun-alinas-utils-1.3-0.20241223174338.6bfadb.deb
# Install
sudo dpkg -i aliyun-alinas-utils-*.deb
# Verify installation
which mount.alinasStep 2: Mount with encryption enabled
Mount command
NFSv3 protocol:
sudo mount -t alinas -o tls,vers=3 file-system-id.region.nas.aliyuncs.com:/ /mntNFSv4.0 protocol:
sudo mount -t alinas -o tls,vers=4.0 file-system-id.region.nas.aliyuncs.com:/ /mntExample with actual values:
sudo mount -t alinas -o tls,vers=3 1234abcd.ap-southeast-1.nas.aliyuncs.com:/ /mntMount parameters
Parameter | Description |
| Mount target. Find it in the NAS console > File System List > Manage > Mount Targets. For more information, see View mount target information. |
| The remote directory on the NAS. Use |
| The local mount point on your server. This directory must exist before mounting. |
| NFS protocol version: |
| Enables TLS encryption |
Verify the mount
# Check mount status
mount -l | grep alinas
# Check file system capacity
df -h /mnt
# Verify stunnel is running
ps aux | grep stunnelIf encryption is active, you'll see a stunnel process in the output.
Step 3: Configure automatic mounting (optional)
To automatically mount the file system at startup, add this line to /etc/fstab:
file-system-id.region.nas.aliyuncs.com:/ /mnt alinas _netdev,tls 0 0Parameter | Description |
| Delays mounting until network is available |
| Backup flag (0 = no backup) |
| fsck order (0 = skip check at startup) |
Important: Test manual mounting before configuring automatic mounting. If the configuration is incorrect, the ECS instance may fail to start.
After editing /etc/fstab, reboot and verify:
sudo reboot
# After restart:
df -h /mntNAS client logs
Log location
Log directory:
/var/log/aliyun/alinas/Configuration file:
/etc/aliyun/alinas/alinas-utils.conf
After modifying the configuration file, restart the watchdog:
sudo service aliyun-alinas-mount-watchdog restartLog configuration parameters
Parameter | Default | Description |
| INFO | Log verbosity level |
| 1048576 | Maximum log file size (1 MB) |
| 10 | Number of log files to retain |
| false | Enable detailed stunnel logs (uses significant storage) |
| false | Verify certificate hostname |
| false | Verify certificate validity |
Troubleshooting
Port conflict error
Symptom: Mount fails with a port conflict message.
Cause: Another process is using port 12049.
Solutions:
Find and stop the conflicting process:
ss -ant | grep -w 12049 # Identify and stop the process using this portChange the NAS client port:
Edit
/etc/aliyun/alinas/alinas-utils.confand change theproxy_portvalue to an unused port (such as 12050), then try mounting again.