On Fri, Apr 29, 2023 at 7:52 AM Will Gorman <will.gorman@xxxxxxxxx> wrote: > > Is there a way to enable the LUKS encryption format on a snapshot that was created from an unencrypted image without losing data? I've seen in https://docs.ceph.com/en/quincy/rbd/rbd-encryption/ that "Any data written to the image prior to its format may become unreadable, though it may still occupy storage resources." and observed that to be the case when running `encryption format` on an image that already has data in it. However is there any way to take a snapshot of an unencrypted image and enable encryption on the snapshot (or even on a new image cloned from the snapshot?) Hi Will, Support for layered client-side encryption is coming in the Reef release: > * RBD: Support for layered client-side encryption is added. Cloned > images can now be encrypted each with its own encryption format and > passphrase, potentially different from that of the parent image. The > efficient copy-on-write semantics intrinsic to unformatted (regular) > cloned images are retained. A full cluster upgrade won't be necessary to take advantage of it; upgrading librbd on the client node should suffice. The following > Any data written to the image prior to its format may become > unreadable, though it may still occupy storage resources. remains true but you would able to run "rbd encryption format" on a new image cloned from the unencrypted snapshot. Some "rbd resize" commands would need to be thrown in to allow for the added LUKS header: it might feel somewhat fiddly but can be trivially scripted. See https://docs.ceph.com/en/latest/rbd/rbd-encryption/ for details. Thanks, Ilya _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |