On 5/27/14 19:44 , Plato wrote: > For certain security issue, I need to make sure the data finally saved > to disk is encrypted. > So, I'm trying to write a rados class, which would be triggered to > reading and writing process. > That is, before data is written, encrypting method of the class will > be invoked; and then after data is readed, decrypting method of the > class will be invoked. > > I checked the interfaces in objclass.h, and found that cls_link > perhaps is what I need. > However, the interface not implemented yet. So, how to write such a > rados plugin? Is it possible. > > Plato > > > _______________________________________________ > ceph-users mailing list > ceph-users at lists.ceph.com > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com If you're looking for encryption at rest, can you use ceph-disk prepare --dmcrypt or ceph-deploy disk --dmcrypt ? The encryption is top notch, but the actual security is a bit weak. The keys are stored unencrypted in /etc/ceph/dmcrypt-keys/, which allows the OSDs to start at boot without a pass-phrase. If you're looking to check a box on your security auditor's form, it meets the requirements: The disk without the key is useless. If you want stronger security (encrypted keys w/ pass-phrase on boot), the --dmcrypt arg just calls cryptsetup. Open up your deployment tool of choice, and look at the innards. It wouldn't be very hard to setup better security manually. It will complicate reboots, but actual security does. cryptsetup looks like only AES256 is compiled in Ubuntu. If you need stronger crypto, I'm sure it's available with a bit more effort. -- *Craig Lewis* Senior Systems Engineer Office +1.714.602.1309 Email clewis at centraldesktop.com <mailto:clewis at centraldesktop.com> *Central Desktop. Work together in ways you never thought possible.* Connect with us Website <http://www.centraldesktop.com/> | Twitter <http://www.twitter.com/centraldesktop> | Facebook <http://www.facebook.com/CentralDesktop> | LinkedIn <http://www.linkedin.com/groups?gid=147417> | Blog <http://cdblog.centraldesktop.com/> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.ceph.com/pipermail/ceph-users-ceph.com/attachments/20140528/07e8592c/attachment.htm>
 |