Hi! I think, it is impossible to hide crypto keys from admin, who have access to host machine where VM guest running. Admin can always make snapshot of running VM and extract all keys just from memory. May be, you can achieve enough level of security providing a dedicated real server holding crypto keys in RAM only and somehow guarantee that the server will not be substituted at one fine day with VM by malicious admin :) Pavel. 10 марта 2014 г., в 5:09, Mark s2c <mark@xxxxxxxxxxxxxxx> написал(а): > Ceph is seriously badass, but my requirements are to create a cluster in which I can host my customer's data in separate areas which are independently encrypted, with passphrases which we as cloud admins do not have access to. > > My current thoughts are: > 1. Create an OSD per machine stretching over all installed disks, then create a user-sized block device per customer. Mount this block device on an access VM and create a LUKS container in to it followed by a zpool and then I can allow the users to create separate bins of data as separate ZFS filesystems in the container which is actually a blockdevice striped across the OSDs. > 2. Create an OSD per customer and use dm-crypt, then store the dm-crypt key somewhere which is rendered in some way so that we cannot access it, such as a pgp-encrypted file using a passphrase which only the customer knows. > > My questions are: > 1. What are people's comments regarding this problem (irrespective of my thoughts) > 2. Which would be the most efficient of (1) and (2) above? > 3. As per (1), would it be easy to stretch a created block dev over more OSDs dynamically should we increase the size of one or more? Also, what if we had millions of customers/block devices? > > Any advice on the above would be deluxe. > > M > > > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com