Hello Samuel, On Sun, May 21, 2023 at 3:48 PM huxiaoyu@xxxxxxxxxxxx <huxiaoyu@xxxxxxxxxxxx> wrote: > > Dear Ceph folks, > > Recently one of our clients approached us with a request on encrpytion per user, i.e. using individual encrytion key for each user and encryption files and object store. > > Does anyone know (or have experience) how to do with CephFS and Ceph RGW? For CephFS, this is unachievable. For RGW, please use Vault for storing encryption keys. Don't forget about the proper high-availability setup. Use an AppRole to manage tokens. Use Vault Agent as a proxy that adds the token to requests issued by RGWs. Then create a bucket for each user and set the encryption policy for this bucket using the PutBucketEncryption API that is available through AWS CLI. Either SSE-S3 or SSE-KMS will work for you. SSE-S3 is easier to manage. Each object will then be encrypted using a different key derived from its name and a per-bucket master key which never leaves Vault. Note that users will be able to create additional buckets by themselves, and they won't be encrypted, so tell them either not to do that or to encrypt the new buckets similarly. -- Alexander E. Patrakov _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |