Thanks. I will look into the dmcrypt key mgmt interfaces, but Im not optimistic. One other problem is that if a cluster already has existing keys from the mons, and then someone wants to add external key management, everything has to be re-keyed which complicates the issue a bit. On Fri, Jul 21, 2017 at 3:13 PM, Sage Weil <sage@xxxxxxxxxxxx> wrote: > Hi Wyllys, > > On Fri, 21 Jul 2017, Wyllys Ingersoll wrote: >> Has anyone considered making the ceph-mon process fetch an external >> "master" wrapping key from an external server (preferably using KMIP >> protocol) to wrap/unwrap the ceph keys used for OSD encryption (or >> possibly other keys as well)? >> >> In certain environments, there are strict requirements to have >> external key management for disk-encryption keys. Now that keys for >> OSD encryption are stored in the monitor, it should be possible to >> wrap those keys in the monitor persistent storage with an external key >> so that they system could not be started without fetching the master >> wrapping key from an external source. >> >> I just wanted to check and see if anyone has done any work in this area. > > This isn't currently possible. It could be done but would probably > require some inelegant changes to the config-key service. However, the > dmcrypt key management was written to be modular so that some other key > management service could be used instead of the mons. This should only > require some hacking on the ceph-disk code that creates and stores these > keys during prepare and fetches them on activate. > > Note that there is also some early work on integrating with kerberos, but > that doesn't address the dmcrypt key management at all. > > sage -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
