Re: external key mgr for ceph-mon?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 21 Jul 2017, Wyllys Ingersoll wrote:
> Thanks.
> 
> I will look into the dmcrypt key mgmt interfaces, but Im not
> optimistic.  One other problem is that if a cluster already has
> existing keys from the mons, and then someone wants to add external
> key management, everything has to be re-keyed which complicates the
> issue a bit.

It shouldn't be too bad to transition the keys stored in the mon to an 
external key server.  The keys need to be moved (probably easy) and the 
lockboxs on each OSD have to be updated to point to the new key server 
(with whatever info/token/keys are needed for that).

sage


 > 
> 
> 
> On Fri, Jul 21, 2017 at 3:13 PM, Sage Weil <sage@xxxxxxxxxxxx> wrote:
> > Hi Wyllys,
> >
> > On Fri, 21 Jul 2017, Wyllys Ingersoll wrote:
> >> Has anyone considered making the ceph-mon process fetch an external
> >> "master" wrapping key from an external server (preferably using KMIP
> >> protocol) to wrap/unwrap the ceph keys used for OSD encryption (or
> >> possibly other keys as well)?
> >>
> >> In certain environments, there are strict requirements to have
> >> external key management for disk-encryption keys. Now that keys for
> >> OSD encryption are stored in the monitor, it should be possible to
> >> wrap those keys in the monitor persistent storage with an external key
> >> so that they system could not be started without fetching the master
> >> wrapping key from an external source.
> >>
> >> I just wanted to check and see if anyone has done any work in this area.
> >
> > This isn't currently possible.  It could be done but would probably
> > require some inelegant changes to the config-key service.  However, the
> > dmcrypt key management was written to be modular so that some other key
> > management service could be used instead of the mons.  This should only
> > require some hacking on the ceph-disk code that creates and stores these
> > keys during prepare and fetches them on activate.
> >
> > Note that there is also some early work on integrating with kerberos, but
> > that doesn't address the dmcrypt key management at all.
> >
> > sage
> 
> 
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [CEPH Users]     [Ceph Large]     [Information on CEPH]     [Linux BTRFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]
  Powered by Linux