> Op 16 december 2016 om 12:39 schreef Amon Ott <a.ott@xxxxxxxxxxxx>: > > > Am 16.12.2016 um 12:10 schrieb Wido den Hollander: > > > >> Op 16 december 2016 om 11:15 schreef Amon Ott <a.ott@xxxxxxxxxxxx>: > >> for a customer we are currently designing a ceph cluster, which shall be > >> spread over two data centers. Data in the Ceph cluster is slightly > >> confidential, so we would like to encrypt at least all Ceph traffic over > >> the fast data center connection link. > >> > > > > Fast as in low latency? Writes in Ceph are synchronous, so keep in mind that any increase in latency will decrease the write performance/latency on your Ceph cluster. > > Yes, we expect low latency and high bandwidth, but a connection shared > with other services. Having locality for accesses by clients would of > course help, too. > You can play a bit with primary affinity or modify CRUSH in such a way that the primary OSDs are always in the local DC. > >> AFAICS, Ceph does not support data encryption at connection level yet, > >> so we would have to setup VPN links between the two cluster networks. > >> This means extra configuration, maintenance and overhead. > >> > >> How far away is TLS support or something similar for the Ceph > >> connections? AFAIK, TLS support should not be hard to implement, but I > >> am not too familiar with Ceph internals. > >> > > > > Afaik there is no work currently in progress. > > I feared so. > > > You might implement IPSec on the nodes itself. You might call that a VPN obviously, but IPSec can also just encrypt packets between nodes. > > Having quite a bit of experience with OpenVPN, we would rather use that > than IPSec, and we would do it right on the Ceph nodes. Still, TLS in > the connections would be better for lower latency. > > Also, we then need VPN connections between all nodes as well as from all > clients to all nodes in the other location. The latter could be routed > through local Ceph nodes, but that would give even more latency. > True. Isn't the a possibility to encrypt the data before it goes into Ceph? I don't know what the use-case is, but if it is RBD why not encrypt the whole RBD device with LUKS / dm-crypt? Just an idea though. Wido > Thanks for your answer, > > Amon. > -- > Dr. Amon Ott > m-privacy GmbH Tel: +49 30 24342334 > Werner-Voß-Damm 62 Fax: +49 30 99296856 > 12101 Berlin http://www.m-privacy.de > > Amtsgericht Charlottenburg, HRB 84946 > > Geschäftsführer: > Dipl.-Kfm. Holger Maczkowsky, > Roman Maczkowsky > > GnuPG-Key-ID: 0x2DD3A649 > > -- > To unsubscribe from this list: send the line "unsubscribe ceph-devel" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
