Hi Robert. > But this would still mean that the client encrypts the data. Yes and as far as I understood this would be fine for the original request as well. Maybe this might sound confusing, but here is my terminology for that: I don't count the RGW daemon as a storage server, in my terminology its a storage gateway, which in itself is a client of the rados back-end store. Hence, I count encryption on a gateway as client-sided. For RGW the natural place to have keys for such encryption would be the gateway (which was called server-sided in an earlier e-mail), while for cephfs if would be on the machine that does the actual FS mount. For the kclient, this would be the host itself and when using ganesha, it would have to be in the VFS config on the NFS gateway. All these I count under client-sided keys while others might consider a gateway as server-sided. Note that client is not the same as user. The key point here is, that ordinary (end-) users will in none of these cases be aware of the encryption or able to bypass it. It happens transparently. It is still on application level and, therefore, can be applied selectively. Best regards, ================= Frank Schilder AIT Risø Campus Bygning 109, rum S14 ________________________________________ From: Robert Sander <r.sander@xxxxxxxxxxxxxxxxxxx> Sent: Friday, May 26, 2023 1:29 PM To: ceph-users@xxxxxxx Subject: Re: Encryption per user Howto On 5/26/23 12:26, Frank Schilder wrote: > It may very well not serve any other purpose, but these are requests we get. If I could provide an encryption key to a ceph-fs kernel at mount time, this requirement could be solved very elegantly on a per-user (request) basis and only making users who want it pay with performance penalties. I understand this use case. But this would still mean that the client encrypts the data. In your case the CephFS mount or with S3 the rados-gateway. Regards -- Robert Sander Heinlein Consulting GmbH Schwedter Str. 8/9b, 10119 Berlin https://www.heinlein-support.de Tel: 030 / 405051-43 Fax: 030 / 405051-19 Amtsgericht Berlin-Charlottenburg - HRB 220009 B Geschäftsführer: Peer Heinlein - Sitz: Berlin _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |