Indeed, the question is on server-side encryption with keys managed by ceph on a per-user basis From: Christian Wuerdig Date: 2023-05-23 00:51 To: huxiaoyu@xxxxxxxxxxxx CC: Stefan Kooman; ceph-users Subject: Re: Re: Encryption per user Howto Hm, this thread is confusing in the context of S3 client-side encryption means - the user is responsible to encrypt the data with their own keys before submitting it. As far as I'm aware, client-side encryption doesn't require any specific server support - it's a function of the client SDK used which provides the convenience of encrypting your data before upload and decryptiing it after download - https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html But you can always encrypt your data and then upload it via RGW, there is nothing anywhere that prevents that since uploaded objects are just a sequence of bytes, meta data won't be encrypted then You can also do server-side encryption by bringing your own keys - https://docs.ceph.com/en/quincy/radosgw/encryption/#customer-provided-keys I suspect you're asking for server-side encryption with keys managed by ceph on a per-user basis? On Tue, 23 May 2023 at 03:28, huxiaoyu@xxxxxxxxxxxx <huxiaoyu@xxxxxxxxxxxx> wrote: Hi, Stefan, Thanks a lot for the message. It seems that client-side encryption (or per use) is still on the way and not ready yet for today. Are there practical methods to implement encryption for CephFS with today' technique? e.g using LUKS or other tools? Kind regards, Samuel huxiaoyu@xxxxxxxxxxxx From: Stefan Kooman Date: 2023-05-22 17:19 To: Alexander E. Patrakov; huxiaoyu@xxxxxxxxxxxx CC: ceph-users Subject: Re: Re: Encryption per user Howto On 5/21/23 15:44, Alexander E. Patrakov wrote: > Hello Samuel, > > On Sun, May 21, 2023 at 3:48 PM huxiaoyu@xxxxxxxxxxxx > <huxiaoyu@xxxxxxxxxxxx> wrote: >> >> Dear Ceph folks, >> >> Recently one of our clients approached us with a request on encrpytion per user, i.e. using individual encrytion key for each user and encryption files and object store. >> >> Does anyone know (or have experience) how to do with CephFS and Ceph RGW? > > For CephFS, this is unachievable. For a couple of years already, work is being done to have fscrypt support for CephFS [1]. When that work ends up in mainline kernel (and distro kernels at some point) this will be possible. Gr. Stefan [1]: https://lwn.net/Articles/829448/ _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |