Re: Encryption per user Howto

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear Alexander,

Thanks a lot for helpful comments and insights. Regarding CephFS and RGW, Per user seems to be daunting and complex. 

What if encryption on the server side without per user requirment? would it be relatively easy to achieve, and how?

best regards,

Samuel





huxiaoyu@xxxxxxxxxxxx
 
From: Alexander E. Patrakov
Date: 2023-05-21 15:44
To: huxiaoyu@xxxxxxxxxxxx
CC: ceph-users
Subject: Re:  Encryption per user Howto
Hello Samuel,
 
On Sun, May 21, 2023 at 3:48 PM huxiaoyu@xxxxxxxxxxxx
<huxiaoyu@xxxxxxxxxxxx> wrote:
>
> Dear Ceph folks,
>
> Recently one of our clients approached us with a request on encrpytion per user, i.e. using individual encrytion key for each user and encryption  files and object store.
>
> Does anyone know (or have experience) how to do with CephFS and Ceph RGW?
 
For CephFS, this is unachievable.
 
For RGW, please use Vault for storing encryption keys. Don't forget
about the proper high-availability setup. Use an AppRole to manage
tokens. Use Vault Agent as a proxy that adds the token to requests
issued by RGWs. Then create a bucket for each user and set the
encryption policy for this bucket using the PutBucketEncryption API
that is available through AWS CLI. Either SSE-S3 or SSE-KMS will work
for you. SSE-S3 is easier to manage. Each object will then be
encrypted using a different key derived from its name and a per-bucket
master key which never leaves Vault.
 
Note that users will be able to create additional buckets by
themselves, and they won't be encrypted, so tell them either not to do
that or to encrypt the new buckets similarly.
 
-- 
Alexander E. Patrakov
 
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx




[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux