Hello,
after reading the documentation[1], I'm uncertain whether the OSD
encryption keys are stored in a safe way. If I understand correctly,
they are kept on the monitor(s) but not necessarily with extra
protection.
In other words, is the default setup safe against the situation where
one disk gets RMAd? Or are there some extra step required, like
encrypting at least the file system that holds the monitor storage
(/var/lib/ceph/mon/?), and unlocking via some means at boot time?
Christoph
[1] http://docs.ceph.com/docs/mimic/ceph-volume/lvm/encryption/
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
