Hi, What are current options to set up fully encrypted ceph cluster(data encrypted in transit & at rest)? >From what I have gathered: option: ceph OSDs with dmcrypt and keys stored in monitors - this seems not secure because keys travel from monitors to OSDs unencrypted by default. workarounds would be: - best:to use OSDs on luks crypt devices and unlock luks locally but somehow ceph-volume refuses to create OSD on /dev/mapper/..crypt device - why that? - not avaialable: to store OSD dmcrypt keys in TANG server and use clevis to retrieve keys. - viable but unconvenient: create VPN between osds and mons What could be other suggestions to set up fully encrypted ceph? Best regards, Ugis
