Hi, Are you aware of the current efforts to support volume encryption in OpenStack ? http://lists.openstack.org/pipermail/openstack-dev/2013-February/005317.html https://blueprints.launchpad.net/nova/+spec/encrypt-cinder-volumes My 2cts ;-) On 02/15/2013 02:57 AM, Sage Weil wrote: > Alexandre and I have been working on adding basic dm-crypt support to > ceph-disk-prepare/activate. At this point it is working reasonably well, > but before we move forward I thought I'd see if anyone has > feedback/comments on the implementation. > > The initial goals are very simple: transparently dm-crypt the volumes for > the osd data and journal befor we use them, and store the keys somewhere > on the local host (currently /etc/ceph/dmcrypt-keys). Eventually we'll > want to something more sophisticated there--there is a whole industry to > supprot key management and compliance for this sort of thing--but slotting > that in later should be pretty simple. > > For now, the basic process looks like this: > > ceph-disk-prepare --dmcrypt DATADISK [JOURNALDISK] > > When --dmcrypt is passed, we generate a unique UUID for the data and > journal both (the data one matches the OSD uuid), and label the > GPT partitions. We also set the type to special "dmcrypted osd" and > "dmcrypted journal" types. The dm-crypt mapped devices appear in > /dev/mapper/$UUID, so the journal symlink inside the data dir of the > data volume points there. Keys are stored in > /etc/ceph/dmcrypt-keys/$UUID. > > Normally, to activate an OSD, a udev rule triggres on teh osd partition > type and runs ceph-disk-active. In this case, it's slightly more > complicated. A udev rule triggers on the encrypted journal partition type > and starts dm-crypt (using the key in /etc/ceph/...). For the encrypted > osd partition, we first start dm-crypt, then run ceph-disk-activate on the > resulting /dev/mapper/$UUID volume. > > That's basically it. Leveraging udev makes this pretty simple, and should > be portable to any distro (vs, say, using upstart events to do the same > steps). > > Later, we may want to add some super-simple key management so that the > keys are stored on the monitor instead of in a local directory, but for > some users at least this is sufficient (where the concern is really about > disposal of disks). > > See wip-dmcrypt in ceph.git to take a look. > > Thanks! > sage > -- > To unsubscribe from this list: send the line "unsubscribe ceph-devel" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Loïc Dachary, Artisan Logiciel Libre
Attachment:
signature.asc
Description: OpenPGP digital signature
