Has anyone considered making the ceph-mon process fetch an external "master" wrapping key from an external server (preferably using KMIP protocol) to wrap/unwrap the ceph keys used for OSD encryption (or possibly other keys as well)? In certain environments, there are strict requirements to have external key management for disk-encryption keys. Now that keys for OSD encryption are stored in the monitor, it should be possible to wrap those keys in the monitor persistent storage with an external key so that they system could not be started without fetching the master wrapping key from an external source. I just wanted to check and see if anyone has done any work in this area. Wyllys Ingersoll Keeper Technology, LLC -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
