I think that is a hard security pill to swallow sending data in plaintext over the WAN. I think there are mitm and replay attack issues. I dont think anyone would knowingly send unencrypted file server content across the WAN. I think in about 15 states or so, Sarbanes Oxley laws prevents certain personal information to be "transmitted" in the clear. You need to ask a lawyer what that means. maybe it doesn't apply here. This is information HR and Finance depts typically hold. I could see that some HR could be clueless on what their file system is doing with their data. Also IT guys don't necessarily know corporate law. I don't know if HIPAA or Gramm-Leach-Blilely Act would have problems. I don't think Equifax will use Ceph. In a federated setup, is there a way to wrap the region to region traffic and encrypt? On Mon, Oct 2, 2017 at 1:02 AM, Joao Eduardo Luis <joao@xxxxxxx> wrote: > On 10/02/2017 07:18 AM, Two Spirit wrote: >>> >>> The Ceph Object Gateway supports server-side encryption of uploaded >>> objects, with 3 options for the management of encryption keys. Server-side >>> encryption means that the data is sent over HTTP in its unencrypted form, >>> and the Ceph Object Gateway stores that data in the Ceph Storage Cluster in >>> encrypted form. >> >> >> It sounds like OSD to OSD traffic is unencrypted. >> >> 1) Does "stores data in the cluster in encrypted form" mean *only* if >> the --dmcrypt option is used? >> >> 2) Does that mean the zone to zone copy across a WAN is also unencrypted? > > > Ceph does not have on-the-wire encryption. > > -Joao -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
