I've been playing around with NFS a bit trying to make the setup a tad more secure, and I've learned that NFSv4 is a lot more secure than v2/3. However most guides that I have found about setting up v4 includes kerberos - and I do *not* want kerberos. What I want is to use X.509v3 certificates to authN/authZ users and services and then do the traffic over an encrypted channel.

- I have a single NAS and another machine running multiple VMs. I'd like to tap into the NAS using NFS, but not necessarily the same shares for all VMs. On top of that, I have a couple of laptops etc as well.
- I don't trust my network 100%
- X.509 is not dependant upon trusted third party being online 24/7 (yes, I know about CRLs, but that's not the issue here).
- Users and services are handled the same way, kerberos (AFAIK) is user-oriented
- I'm familiar with X.509 and I have a simple infrastructure with my own CA
- I like making things overly complicated

As far as I've been able to understand, NFS and SPKM can do this - but I struggle to find useful documentation. Perhaps my google-mojo is fubar.

Anyways, am I on the right track, or have I misunderstood SPKM completely? And if I'm on the right track - does anyone know where I can find useful documentation?