On 12/14/2017 03:00 PM, Alfredo Deza wrote: > On Thu, Dec 14, 2017 at 8:49 AM, Milan Broz <mbroz@xxxxxxxxxx> wrote: >> On 12/14/2017 02:17 PM, Alfredo Deza wrote: >> I currently lost overview what is Ceph doing, but for unlocking >> of crypt device - LUKS2 allows you to store passphrase to kernel keyring >> (in advance) and then device is unlocked automatically. >> (It needs to configure a "token" for metadata - in the case of keyring >> it is just name in keyring.) > > Do you have docs that explain this bit in detail? We were just going > to do what was done already by ceph-disk, that differs a lot from the > kernel keyring > workflow. We have some example and I plan to write some short blog regarding keyring use. But the best would be to talk directly to Ondra Kozina (cc) who wrote this keyring part of the code and can help you to understand what is possible. >> Maybe it can simplify your key management in future with LUKS. >> >> (LUKS2 is already in Fedora rawhide and in some experimental repos of other distros. >> It need some time to be widely used and I know it will need some fixes - but in principle >> things mentioned above already work.) > > That is a big gotcha though, we would need 100% availability in the > distros/versions we support at release time (around April-May 2018) Yes, I think we should stick with LUKS1 for now. But we can plan something more simple with LUKS2 in the future. > Are you leaning towards encrypting the physical devices over > encrypting LVs ? I'm not seeing any risks so far in just going the lv > encryption route (yet) See other mail - both works, if it makes more sense to use LUKS on top, that's ok. Milan -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
