On Thu, May 30, 2019 at 8:53 AM Ugis <ugis22@xxxxxxxxx> wrote: > > Thanks for hint about Nautilus messenger v2! Was not aware it is near ready. > > I'm using Nautilus 14.2.1 - how exactly can I enable "secure mode"? > http://docs.ceph.com/docs/nautilus/rados/configuration/msgr2/#bind-configuration-options > describes what it is but does not mention how to enable. The "Connection Modes" section right underneath there discusses the options and values you can set. > > P.S. If I use dmcrypt for my OSDs I should backup keys. Is it enough > to backup monitors like described here(stop daemon + backup DB > folder)? > https://blog.widodh.nl/2014/03/safely-backing-up-your-ceph-monitors/ > > Would I be able to start cluster in case all mons are lost with such backup? Not sure; I haven't played with this. If you lose all the monitors you can reconstruct the Ceph data but I think with fully-encrypted OSDs that would put you out of luck unless you had all the keys stored somewhere else you could provide them from. -Greg > > Ugis > > trešd., 2019. g. 29. maijs, plkst. 21:39 — lietotājs Gregory Farnum > (<gfarnum@xxxxxxxxxx>) rakstīja: > > > > If you're running Nautilus you can enable the new messenger encryption > > option. That's marked experimental right now but has been stable in > > testing so that flag will be removed in the next point release or two. > > > > Not sure about setting up Ceph-volume with locally-stored keys; partly > > we just assume your monitors are "farther away" from the OSD drives so > > even if the keys are transmitted unencrypted that's more secure > > against practical attacks... > > -Greg > > > > On Wed, May 29, 2019 at 11:28 AM Ugis <ugis22@xxxxxxxxx> wrote: > > > > > > Hi, > > > > > > What are current options to set up fully encrypted ceph cluster(data > > > encrypted in transit & at rest)? > > > > > > From what I have gathered: > > > option: ceph OSDs with dmcrypt and keys stored in monitors - this > > > seems not secure because keys travel from monitors to OSDs unencrypted > > > by default. > > > > > > workarounds would be: > > > - best:to use OSDs on luks crypt devices and unlock luks locally but > > > somehow ceph-volume refuses to create OSD on /dev/mapper/..crypt > > > device - why that? > > > - not avaialable: to store OSD dmcrypt keys in TANG server and use > > > clevis to retrieve keys. > > > - viable but unconvenient: create VPN between osds and mons > > > > > > What could be other suggestions to set up fully encrypted ceph? > > > > > > Best regards, > > > Ugis
