The process to create an encrypted bluestore OSD is very simple to make them utilize dmcrypt (literally just add --dmcrypt to the exact same command you would run normally to create the OSD). The gotcha is that I had to find the option by using --help with ceph-volume from the cli. I was unable to find any reference to it in the ceph docs online.
I'm not sure where I would suggest putting it. I searched for it through googling the terms and didn't find anything. Hopefully this comes up in future searches and is helpful.
[1] ceph-volume --help
ceph-volume lvm --help
ceph-volume lvm create --help (ahh, there it is)
On Wed, May 2, 2018 at 11:51 AM David Turner <drakonstein@xxxxxxxxx> wrote:
At 'rest' is talking about data on it's own, not being accessed through an application. Encryption at rest is most commonly done by encrypting the block device with something like dmcrypt. It's anything that makes having the physical disk useless without being able to decrypt it. You can also just encrypt a folder with sensitive information which would also be encryption at rest. Encryption not at rest would be like putting a secure layer between the data and the users that access it, like HTTPS/SSL.On Wed, May 2, 2018 at 11:25 AM Alfredo Deza <adeza@xxxxxxxxxx> wrote:On Wed, May 2, 2018 at 11:12 AM, David Turner <drakonstein@xxxxxxxxx> wrote:
> I've heard conflicting opinions if GDPR requires data to be encrypted at
> rest, but enough of our customers believe that it is that we're looking at
> addressing it in our clusters. I had a couple questions about the state of
> encryption in ceph.
>
> 1) My experience with encryption in Ceph is dmcrypt, is this still the
> standard method or is there something new with bluestore?
Standard, yes.
> 2) Assuming dmcrypt is still the preferred option, is it fully
> supported/tested in ceph-volume? There were problems with this when
> ceph-volume was initially released, but I believe those have been resolved.
It is fully supported, but only with LUKS. The initial release of
ceph-volume didn't have dmcrypt support.
> 3) Any other thoughts about encryption at rest? I have an upgrade path to
> get to encryption (basically the same as getting to bluestore from
> filestore).
Not sure what you mean by 'rest'. The ceph-volume encryption would
give you the same type of encryption that was provided by ceph-disk
with the only "gotcha" being it is LUKS (plain is not supported for
newly encrypted devices)
>
> Thanks for your comments.
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
