On 06/03/2015 02:12 AM, Andrew Bartlett wrote: > On Thu, 2015-05-28 at 13:03 -0700, Sage Weil wrote: >> 2- make the key management pluggable, so that we can use petera, >> /etc/ceph/keys, the ceph mons, or something else. > > Petera looks very much like what I was trying to home-grow, and I would > prefer that over using the monitor nodes, as those are often shared with > our storage nodes. Hi, the preferred way to go now is using LUKS and Petera (https://github.com/npmccallum/petera), I should probably edit the blueprint that is now kind of obsolete. In general, the plain dm-crypt use is problematic because you have to handle not only the key but also cipher metadata (cipher, key mode, etc). Ceph currently uses cryptsetup default which can be different in future or it can be changed per distro or during compilation time. LUKS stores this information to the header ensuring you will be able to open it with proper attributes everywhere. (And LUKS header can be placed outside of disk itself, but I do not think this should be done here.) Milan -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
