On Tue, 12 Dec 2017, Alfredo Deza wrote: > On Tue, Dec 12, 2017 at 2:38 PM, Wyllys Ingersoll > <wyllys.ingersoll@xxxxxxxxxxxxxx> wrote: > > Its useful for legacy systems that installed with "plain" back when > > that was the only option. Since there is no easy migration path for > > re-keying an encrypted OSD to use a new encryption scheme, keeping > > support for legacy "plain" is still very useful and desirable. > > Yes, for sure we are going to support that legacy option. But for > *newly* created OSDs, I was looking forward to follow > the preferred way with LUKS only. It's worth mentioning that the "new" way for new ceph-volume OSD deployments will also be using LVM, and (presumably?) allow layering dm-crypt on top of an LV--not just a PV or raw device. So this is more a question of what, clean slate, we want to do to deploy dm-crypt when the end result that we're after is an LV to feed to bluestore or filestore. I'm not sure how/where LUKS fits in in the LVM world... Copying Milan, as I expect he has an opinion here? :) sage > > > > > On Tue, Dec 12, 2017 at 2:27 PM, Alfredo Deza <adeza@xxxxxxxxxx> wrote: > >> We have started looking into encryption support in ceph-volume, and > >> one of the unclear paths is if we really want to support both "plain" > >> and "LUKS". > >> > >> According to the cryptsetup docs [0] : > >> > >> (LUKS) is now the preferred way to set up disk encryption with > >> dm-crypt using the cryptsetup utility > >> > >> > >> ceph-disk supports both plain and LUKS, but moving forward, I was > >> interested in understanding if anyone is really expecting the "plain" > >> type to be a choice? > >> > >> The legacy support will mean that ceph-volume will have to deal with > >> "plain", but moving forward it might be easier if we are supporting a > >> single type of encryption with LUKS. > >> -- > >> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in > >> the body of a message to majordomo@xxxxxxxxxxxxxxx > >> More majordomo info at http://vger.kernel.org/majordomo-info.html > -- > To unsubscribe from this list: send the line "unsubscribe ceph-devel" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > > -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
