On Mon, Oct 2, 2017 at 2:48 AM, Joao Eduardo Luis <joao@xxxxxxx> wrote: > On 10/02/2017 10:46 AM, Two Spirit wrote: >> >> I think that is a hard security pill to swallow sending data in >> plaintext over the WAN. I think there are mitm and replay attack >> issues. I dont think anyone would knowingly send unencrypted file >> server content across the WAN. >> >> I think in about 15 states or so, Sarbanes Oxley laws prevents certain >> personal information to be "transmitted" in the clear. You need to ask >> a lawyer what that means. maybe it doesn't apply here. This is >> information HR and Finance depts typically hold. I could see that some >> HR could be clueless on what their file system is doing with their >> data. Also IT guys don't necessarily know corporate law. I don't know >> if HIPAA or Gramm-Leach-Blilely Act would have problems. I don't think >> Equifax will use Ceph. >> >> In a federated setup, is there a way to wrap the region to region >> traffic and encrypt? > > > Just because Ceph doesn't natively encrypt on-the-wire communication, it > doesn't mean you can't have an encrypted layer if that's something you need. > > -Joao > > > >> On Mon, Oct 2, 2017 at 1:02 AM, Joao Eduardo Luis <joao@xxxxxxx> wrote: >>> >>> On 10/02/2017 07:18 AM, Two Spirit wrote: >>>>> >>>>> >>>>> The Ceph Object Gateway supports server-side encryption of uploaded >>>>> objects, with 3 options for the management of encryption keys. >>>>> Server-side >>>>> encryption means that the data is sent over HTTP in its unencrypted >>>>> form, >>>>> and the Ceph Object Gateway stores that data in the Ceph Storage >>>>> Cluster in >>>>> encrypted form. >>>> >>>> >>>> >>>> It sounds like OSD to OSD traffic is unencrypted. >>>> >>>> 1) Does "stores data in the cluster in encrypted form" mean *only* if >>>> the --dmcrypt option is used? >>>> >>>> 2) Does that mean the zone to zone copy across a WAN is also >>>> unencrypted? >>> >>> >>> >>> Ceph does not have on-the-wire encryption. >>> >>> -Joao Keep in mind there are two different protocols here. The internal Ceph messenger protocol for OSD replication and RADOS clients is not encrypted at all. But the RADOS Gateway multi-site federation all happens over HTTP. And I believe it's easy to configure to HTTPS since it provides all those encryption over-the-wire options. ;) -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
