If you're running Nautilus you can enable the new messenger encryption option. That's marked experimental right now but has been stable in testing so that flag will be removed in the next point release or two. Not sure about setting up Ceph-volume with locally-stored keys; partly we just assume your monitors are "farther away" from the OSD drives so even if the keys are transmitted unencrypted that's more secure against practical attacks... -Greg On Wed, May 29, 2019 at 11:28 AM Ugis <ugis22@xxxxxxxxx> wrote: > > Hi, > > What are current options to set up fully encrypted ceph cluster(data > encrypted in transit & at rest)? > > From what I have gathered: > option: ceph OSDs with dmcrypt and keys stored in monitors - this > seems not secure because keys travel from monitors to OSDs unencrypted > by default. > > workarounds would be: > - best:to use OSDs on luks crypt devices and unlock luks locally but > somehow ceph-volume refuses to create OSD on /dev/mapper/..crypt > device - why that? > - not avaialable: to store OSD dmcrypt keys in TANG server and use > clevis to retrieve keys. > - viable but unconvenient: create VPN between osds and mons > > What could be other suggestions to set up fully encrypted ceph? > > Best regards, > Ugis
