linux-drivers/
drivers/nvme/common

NVMe-oF Authentication and TLS Keyring Helpers

Shared code that handles in-band authentication (DH-HMAC-CHAP) and TLS pre-shared key management for NVMe over Fabrics, the modern protocol for accessing flash storage arrays across a network. It is used by both the host and target sides of NVMe/TCP to negotiate cryptographic credentials when Linux servers talk to enterprise storage from vendors like NetApp, Oracle, and others.

keep conf=0.94 deploy=medium replacement=none subsystem=nvme category=storage-block
94%

recommendation

It should stay because this is actively developed code underpinning a current, ratified storage standard. Upstream commits land regularly (most recently November 2025), a 2024 patch series added secure concatenation support, and the 2025 NVMe/TCP 1.2 specification along with shipping products from Oracle and NetApp all rely on exactly this functionality.

repository signals

4 files
1,134 source lines
30 commits, 5y
+1,288 / −130 lines added / removed, 5y
14 authors, 5y
monthly commits · 2021-04-21 → 2026-04-21 · 30 total · active in 14/61 months
2021 2022 2023 2024 2025 2026 2021-04: 0 commits · +0 −0 2021-05: 0 commits · +0 −0 2021-06: 0 commits · +0 −0 2021-07: 0 commits · +0 −0 2021-08: 0 commits · +0 −0 2021-09: 0 commits · +0 −0 2021-10: 0 commits · +0 −0 2021-11: 0 commits · +0 −0 2021-12: 0 commits · +0 −0 2022-01: 0 commits · +0 −0 2022-02: 0 commits · +0 −0 2022-03: 0 commits · +0 −0 2022-04: 0 commits · +0 −0 2022-05: 0 commits · +0 −0 2022-06: 2 commits · +487 −0 2022-07: 3 commits · +22 −15 2022-08: 0 commits · +0 −0 2022-09: 0 commits · +0 −0 2022-10: 1 commit · +1 −1 2022-11: 0 commits · +0 −0 2022-12: 0 commits · +0 −0 2023-01: 0 commits · +0 −0 2023-02: 0 commits · +0 −0 2023-03: 0 commits · +0 −0 2023-04: 0 commits · +0 −0 2023-05: 0 commits · +0 −0 2023-06: 0 commits · +0 −0 2023-07: 0 commits · +0 −0 2023-08: 3 commits · +188 −1 2023-09: 0 commits · +0 −0 2023-10: 7 commits · +63 −62 2023-11: 0 commits · +0 −0 2023-12: 1 commit · +1 −1 2024-01: 1 commit · +2 −0 2024-02: 0 commits · +0 −0 2024-03: 0 commits · +0 −0 2024-04: 0 commits · +0 −0 2024-05: 0 commits · +0 −0 2024-06: 0 commits · +0 −0 2024-07: 2 commits · +48 −10 2024-08: 0 commits · +0 −0 2024-09: 0 commits · +0 −0 2024-10: 1 commit · +1 −1 2024-11: 0 commits · +0 −0 2024-12: 0 commits · +0 −0 2025-01: 0 commits · +0 −0 2025-02: 4 commits · +402 −1 2025-03: 0 commits · +0 −0 2025-04: 1 commit · +3 −3 2025-05: 1 commit · +2 −13 2025-06: 0 commits · +0 −0 2025-07: 0 commits · +0 −0 2025-08: 2 commits · +66 −20 2025-09: 0 commits · +0 −0 2025-10: 0 commits · +0 −0 2025-11: 1 commit · +2 −2 2025-12: 0 commits · +0 −0 2026-01: 0 commits · +0 −0 2026-02: 0 commits · +0 −0 2026-03: 0 commits · +0 −0 2026-04: 0 commits · +0 −0

sources

  1. lwn.net

    August 13, 2024 upstream patch series 'nvme: implement secure concatenation' touches drivers/nvme/common/auth.c and keyring.c, showing active feature development rather than retirement.

  2. nvmexpress.org

    The ratified 2025 NVMe/TCP spec still requires/supports PSK with (EC)DHE and describes configured/generated TLS PSKs derived from NVMe authentication, so this functionality remains current in the standard.

  3. blogs.oracle.com

    Oracle's July 11, 2025 article describes shipping kernel support for NVMe in-band authentication and NVMe-TLS for NVMe/TCP, indicating contemporary deployment interest.

  4. docs.netapp.com

    NetApp ONTAP documentation dated December 16, 2025 documents configuring TLS secure channels for NVMe/TCP, showing current commercial product support.

codex reasoning notes (technical)

This is a real driver/module directory: Kconfig/Makefile build nvme-auth and nvme-keyring from auth.c and keyring.c, and the files carry MODULE_DESCRIPTIONs. Local source inspection via shell showed active NVMe auth/keyring code; provided static history already shows 28 substantive commits in 5y and a latest touch on 2025-11-20, which is incompatible with deprecation. Lore-specific shell tooling was unavailable here (lei missing; no lore MCP server exposed), so I checked upstream discussion via web search: LWN mirrored a 2024 kernel mailing-list patchset adding secure-concatenation work directly in this directory, and I found no removal/deprecation thread. Deployment evidence came from web search on the ratified NVMe/TCP 1.2 spec plus current Oracle and NetApp docs. Conclusion: active upstream, tied to still-current NVMe/TCP security features, so keep.