Hi all, just as a quick preface: I'm fairly new to ceph, so forgive me any blunders :) But back to the topic. after following several discussions on how to implement data-at-rest encryption in ceph i want to add my two cents. What is used: a dedicated FTPS server for key-handling How it will work: Specify your key-server in ceph.conf. Preparing and activating an OSD as usual via --dmcrypt. The newly created key will be uploaded and deleted locally. On the initial unlock it will already be retrieved via network. Why is this a good way: Taking in consideration that MONs are not the best place to put the keys imho, a dedicated machine is a good place to put them since you are able to take care of additional security arrangements. What needs attention: - The dedicated server is a single point of failure. - If you add more servers, is rsync enough? - Prevent swapping on key retrieval. (mlockall) This is what i did so far: https://github.com/jschmid1/ceph/commit/fee26890c24bd3a7b8865295546297e3f144e6d0?diff=unified ANY feedback is welcome :) -- Freundliche Grüße - Kind regards, Joshua Schmid Trainee - Storage SUSE Linux GmbH - Maxfeldstr. 5 - 90409 Nürnberg -------------------------------------------------------------------------------------------------------------------- SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) -------------------------------------------------------------------------------------------------------------------- -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
