Hi Wyllys, On Fri, 21 Jul 2017, Wyllys Ingersoll wrote: > Has anyone considered making the ceph-mon process fetch an external > "master" wrapping key from an external server (preferably using KMIP > protocol) to wrap/unwrap the ceph keys used for OSD encryption (or > possibly other keys as well)? > > In certain environments, there are strict requirements to have > external key management for disk-encryption keys. Now that keys for > OSD encryption are stored in the monitor, it should be possible to > wrap those keys in the monitor persistent storage with an external key > so that they system could not be started without fetching the master > wrapping key from an external source. > > I just wanted to check and see if anyone has done any work in this area. This isn't currently possible. It could be done but would probably require some inelegant changes to the config-key service. However, the dmcrypt key management was written to be modular so that some other key management service could be used instead of the mons. This should only require some hacking on the ceph-disk code that creates and stores these keys during prepare and fetches them on activate. Note that there is also some early work on integrating with kerberos, but that doesn't address the dmcrypt key management at all. sage -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
