On Thu, May 3, 2018 at 1:22 PM, David Turner <drakonstein@xxxxxxxxx> wrote: > The process to create an encrypted bluestore OSD is very simple to make them > utilize dmcrypt (literally just add --dmcrypt to the exact same command you > would run normally to create the OSD). The gotcha is that I had to find the > option by using --help with ceph-volume from the cli. I was unable to find > any reference to it in the ceph docs online. > > I'm not sure where I would suggest putting it. I searched for it through > googling the terms and didn't find anything. Hopefully this comes up in > future searches and is helpful. You are right, it seems that although we have the details at http://docs.ceph.com/docs/master/ceph-volume/lvm/encryption/ we didn't actually update the flags in the prepare/activate/create sections. I will make sure those are updated. Thanks for pointing this out. > > [1] ceph-volume --help > ceph-volume lvm --help > ceph-volume lvm create --help (ahh, there it is) > > On Wed, May 2, 2018 at 11:51 AM David Turner <drakonstein@xxxxxxxxx> wrote: >> >> At 'rest' is talking about data on it's own, not being accessed through an >> application. Encryption at rest is most commonly done by encrypting the >> block device with something like dmcrypt. It's anything that makes having >> the physical disk useless without being able to decrypt it. You can also >> just encrypt a folder with sensitive information which would also be >> encryption at rest. Encryption not at rest would be like putting a secure >> layer between the data and the users that access it, like HTTPS/SSL. >> >> On Wed, May 2, 2018 at 11:25 AM Alfredo Deza <adeza@xxxxxxxxxx> wrote: >>> >>> On Wed, May 2, 2018 at 11:12 AM, David Turner <drakonstein@xxxxxxxxx> >>> wrote: >>> > I've heard conflicting opinions if GDPR requires data to be encrypted >>> > at >>> > rest, but enough of our customers believe that it is that we're looking >>> > at >>> > addressing it in our clusters. I had a couple questions about the >>> > state of >>> > encryption in ceph. >>> > >>> > 1) My experience with encryption in Ceph is dmcrypt, is this still the >>> > standard method or is there something new with bluestore? >>> >>> Standard, yes. >>> >>> > 2) Assuming dmcrypt is still the preferred option, is it fully >>> > supported/tested in ceph-volume? There were problems with this when >>> > ceph-volume was initially released, but I believe those have been >>> > resolved. >>> >>> It is fully supported, but only with LUKS. The initial release of >>> ceph-volume didn't have dmcrypt support. >>> >>> > 3) Any other thoughts about encryption at rest? I have an upgrade path >>> > to >>> > get to encryption (basically the same as getting to bluestore from >>> > filestore). >>> >>> Not sure what you mean by 'rest'. The ceph-volume encryption would >>> give you the same type of encryption that was provided by ceph-disk >>> with the only "gotcha" being it is LUKS (plain is not supported for >>> newly encrypted devices) >>> >>> > >>> > Thanks for your comments. _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |