Thanks for hint about Nautilus messenger v2! Was not aware it is near ready. I'm using Nautilus 14.2.1 - how exactly can I enable "secure mode"? http://docs.ceph.com/docs/nautilus/rados/configuration/msgr2/#bind-configuration-options describes what it is but does not mention how to enable. P.S. If I use dmcrypt for my OSDs I should backup keys. Is it enough to backup monitors like described here(stop daemon + backup DB folder)? https://blog.widodh.nl/2014/03/safely-backing-up-your-ceph-monitors/ Would I be able to start cluster in case all mons are lost with such backup? Ugis trešd., 2019. g. 29. maijs, plkst. 21:39 — lietotājs Gregory Farnum (<gfarnum@xxxxxxxxxx>) rakstīja: > > If you're running Nautilus you can enable the new messenger encryption > option. That's marked experimental right now but has been stable in > testing so that flag will be removed in the next point release or two. > > Not sure about setting up Ceph-volume with locally-stored keys; partly > we just assume your monitors are "farther away" from the OSD drives so > even if the keys are transmitted unencrypted that's more secure > against practical attacks... > -Greg > > On Wed, May 29, 2019 at 11:28 AM Ugis <ugis22@xxxxxxxxx> wrote: > > > > Hi, > > > > What are current options to set up fully encrypted ceph cluster(data > > encrypted in transit & at rest)? > > > > From what I have gathered: > > option: ceph OSDs with dmcrypt and keys stored in monitors - this > > seems not secure because keys travel from monitors to OSDs unencrypted > > by default. > > > > workarounds would be: > > - best:to use OSDs on luks crypt devices and unlock luks locally but > > somehow ceph-volume refuses to create OSD on /dev/mapper/..crypt > > device - why that? > > - not avaialable: to store OSD dmcrypt keys in TANG server and use > > clevis to retrieve keys. > > - viable but unconvenient: create VPN between osds and mons > > > > What could be other suggestions to set up fully encrypted ceph? > > > > Best regards, > > Ugis
