Hello, I have a question regarding possible ways of retrieving cephx key from a running ceph-fuse process. Our current setup mounts CephFS volumes in following steps: 1. Receive a request to mount a volume. The request contains all info necessary to perform the mount including the cephx key. 2. Create a secret file, populate it with the cephx key. 3. Mount the CephFS volume with ceph-fuse ... --keyfile=<path to the secret file>. 4. Remove the secret file once the "bootstrap" ceph-fuse process exits. If we ignore any possible ways to eavesdrop for the key in step 1, step 2 already gives an attacker a short window to read the key before the secret file is removed (and closed). Is there a way for an attacker with sufficient privileges to retrieve the key by somehow mining it off of the process memory of ceph-fuse which is now maintaining the volume mount? Thanks! Cheers, Robert _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |