Hi Andrea, On Tue, Mar 12, 2019 at 6:11 PM Andrea <0x41ndrea@xxxxxxxxx> wrote: > > Hi, > reading Rados Gateway documentation [1] I learned that current support > for server side encryption using a KMS is only available with > Openstack Barbincan. Encouraged by the statement from the same > documentation page quoted below: > > In principle, any key management service could be used here, ... > I've checked the code and I can see in [2] that the functions tying > the logic to Barbican are mostly down to request_key_from_barbican and > get_keystone_barbican_token. > > My questions are: > - Is there anyone already working on this? Not to my knowledge, although the idea has been proposed. > - If not, would an integration with Vault be welcomed? Certainly. > - Is there any other area of the code / implications I left behind in > my analysis? One I can think of is potentially implementing SSE-S3 with (e.g.) Vault as a secret store, as an alternative or in addition to SSE-KMS. regards, Matt > > Thanks > > -- > Andrea > > [1] http://docs.ceph.com/docs/master/radosgw/encryption/ > [2] https://github.com/ceph/ceph/blob/master/src/rgw/rgw_crypt.cc -- Matt Benjamin Red Hat, Inc. 315 West Huron Street, Suite 140A Ann Arbor, Michigan 48103 http://www.redhat.com/en/technologies/storage tel. 734-821-5101 fax. 734-769-8938 cel. 734-216-5309
