One suggestion I have is to have the documentation specify TLS/SSL as the setup instructions so the default would be encrypted transport. On Mon, Oct 2, 2017 at 9:42 AM, Two Spirit <twospirit6905@xxxxxxxxx> wrote: > Great! I thought the HTTP was for the REST API, but if port 80 > contains all the WAN traffic, just moving it to port 443 would be > acceptable. I'll assume this works for now. > > On Mon, Oct 2, 2017 at 8:34 AM, Gregory Farnum <gfarnum@xxxxxxxxxx> wrote: >> On Mon, Oct 2, 2017 at 2:48 AM, Joao Eduardo Luis <joao@xxxxxxx> wrote: >>> On 10/02/2017 10:46 AM, Two Spirit wrote: >>>> >>>> I think that is a hard security pill to swallow sending data in >>>> plaintext over the WAN. I think there are mitm and replay attack >>>> issues. I dont think anyone would knowingly send unencrypted file >>>> server content across the WAN. >>>> >>>> I think in about 15 states or so, Sarbanes Oxley laws prevents certain >>>> personal information to be "transmitted" in the clear. You need to ask >>>> a lawyer what that means. maybe it doesn't apply here. This is >>>> information HR and Finance depts typically hold. I could see that some >>>> HR could be clueless on what their file system is doing with their >>>> data. Also IT guys don't necessarily know corporate law. I don't know >>>> if HIPAA or Gramm-Leach-Blilely Act would have problems. I don't think >>>> Equifax will use Ceph. >>>> >>>> In a federated setup, is there a way to wrap the region to region >>>> traffic and encrypt? >>> >>> >>> Just because Ceph doesn't natively encrypt on-the-wire communication, it >>> doesn't mean you can't have an encrypted layer if that's something you need. >>> >>> -Joao >>> >>> >>> >>>> On Mon, Oct 2, 2017 at 1:02 AM, Joao Eduardo Luis <joao@xxxxxxx> wrote: >>>>> >>>>> On 10/02/2017 07:18 AM, Two Spirit wrote: >>>>>>> >>>>>>> >>>>>>> The Ceph Object Gateway supports server-side encryption of uploaded >>>>>>> objects, with 3 options for the management of encryption keys. >>>>>>> Server-side >>>>>>> encryption means that the data is sent over HTTP in its unencrypted >>>>>>> form, >>>>>>> and the Ceph Object Gateway stores that data in the Ceph Storage >>>>>>> Cluster in >>>>>>> encrypted form. >>>>>> >>>>>> >>>>>> >>>>>> It sounds like OSD to OSD traffic is unencrypted. >>>>>> >>>>>> 1) Does "stores data in the cluster in encrypted form" mean *only* if >>>>>> the --dmcrypt option is used? >>>>>> >>>>>> 2) Does that mean the zone to zone copy across a WAN is also >>>>>> unencrypted? >>>>> >>>>> >>>>> >>>>> Ceph does not have on-the-wire encryption. >>>>> >>>>> -Joao >> >> Keep in mind there are two different protocols here. The internal Ceph >> messenger protocol for OSD replication and RADOS clients is not >> encrypted at all. But the RADOS Gateway multi-site federation all >> happens over HTTP. And I believe it's easy to configure to HTTPS since >> it provides all those encryption over-the-wire options. ;) -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
