Hm, this thread is confusing in the context of S3 client-side encryption means - the user is responsible to encrypt the data with their own keys before submitting it. As far as I'm aware, client-side encryption doesn't require any specific server support - it's a function of the client SDK used which provides the convenience of encrypting your data before upload and decryptiing it after download - https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html But you can always encrypt your data and then upload it via RGW, there is nothing anywhere that prevents that since uploaded objects are just a sequence of bytes, meta data won't be encrypted then You can also do server-side encryption by bringing your own keys - https://docs.ceph.com/en/quincy/radosgw/encryption/#customer-provided-keys I suspect you're asking for server-side encryption with keys managed by ceph on a per-user basis? On Tue, 23 May 2023 at 03:28, huxiaoyu@xxxxxxxxxxxx <huxiaoyu@xxxxxxxxxxxx> wrote: > Hi, Stefan, > > Thanks a lot for the message. It seems that client-side encryption (or per > use) is still on the way and not ready yet for today. > > Are there practical methods to implement encryption for CephFS with > today' technique? e.g using LUKS or other tools? > > Kind regards, > > > Samuel > > > > > huxiaoyu@xxxxxxxxxxxx > > From: Stefan Kooman > Date: 2023-05-22 17:19 > To: Alexander E. Patrakov; huxiaoyu@xxxxxxxxxxxx > CC: ceph-users > Subject: Re: Re: Encryption per user Howto > On 5/21/23 15:44, Alexander E. Patrakov wrote: > > Hello Samuel, > > > > On Sun, May 21, 2023 at 3:48 PM huxiaoyu@xxxxxxxxxxxx > > <huxiaoyu@xxxxxxxxxxxx> wrote: > >> > >> Dear Ceph folks, > >> > >> Recently one of our clients approached us with a request on encrpytion > per user, i.e. using individual encrytion key for each user and encryption > files and object store. > >> > >> Does anyone know (or have experience) how to do with CephFS and Ceph > RGW? > > > > For CephFS, this is unachievable. > > For a couple of years already, work is being done to have fscrypt > support for CephFS [1]. When that work ends up in mainline kernel (and > distro kernels at some point) this will be possible. > > Gr. Stefan > > [1]: https://lwn.net/Articles/829448/ > > _______________________________________________ > ceph-users mailing list -- ceph-users@xxxxxxx > To unsubscribe send an email to ceph-users-leave@xxxxxxx > _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |