At 'rest' is talking about data on it's own, not being accessed through an application. Encryption at rest is most commonly done by encrypting the block device with something like dmcrypt. It's anything that makes having the physical disk useless without being able to decrypt it. You can also just encrypt a folder with sensitive information which would also be encryption at rest. Encryption not at rest would be like putting a secure layer between the data and the users that access it, like HTTPS/SSL.
On Wed, May 2, 2018 at 11:25 AM Alfredo Deza <adeza@xxxxxxxxxx> wrote:
On Wed, May 2, 2018 at 11:12 AM, David Turner <drakonstein@xxxxxxxxx> wrote:
> I've heard conflicting opinions if GDPR requires data to be encrypted at
> rest, but enough of our customers believe that it is that we're looking at
> addressing it in our clusters. I had a couple questions about the state of
> encryption in ceph.
>
> 1) My experience with encryption in Ceph is dmcrypt, is this still the
> standard method or is there something new with bluestore?
Standard, yes.
> 2) Assuming dmcrypt is still the preferred option, is it fully
> supported/tested in ceph-volume? There were problems with this when
> ceph-volume was initially released, but I believe those have been resolved.
It is fully supported, but only with LUKS. The initial release of
ceph-volume didn't have dmcrypt support.
> 3) Any other thoughts about encryption at rest? I have an upgrade path to
> get to encryption (basically the same as getting to bluestore from
> filestore).
Not sure what you mean by 'rest'. The ceph-volume encryption would
give you the same type of encryption that was provided by ceph-disk
with the only "gotcha" being it is LUKS (plain is not supported for
newly encrypted devices)
>
> Thanks for your comments.
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
