Hi Stefan, there are still users with large HDD installations and I think this will not change anytime soon. What is the impact of encryption with the new settings for HDD? Is it as bad as their continued omission from any statement suggests? Thanks and best regards, ================= Frank Schilder AIT Risø Campus Bygning 109, rum S14 ________________________________________ From: Stefan Kooman <stefan@xxxxxx> Sent: Friday, June 2, 2023 5:11 PM To: Anthony D'Atri; ceph-users@xxxxxxx Subject: Re: Encryption per user Howto On 6/2/23 16:33, Anthony D'Atri wrote: > Stefan, how do you have this implemented? Earlier this year I submitted > https://tracker.ceph.com/issues/58569 > <https://tracker.ceph.com/issues/58569> asking to enable just this. Lol, I have never seen that tracker otherwise I would have informed you about it. I see the PR and tracker are updated by you / Joshua, thanks for that.. So yes, we have this implemented and running in production (currently re-provisioning all OSDs). It's a locally patched 16.2.11 ceph-volume for that matter. The PR [1] needs some fixing (I need to sit down and make it happen, just so many other things that take up my time). But then this would be enabled by default for flash devices (non-rotational). If used with cryptsetup 2.4.x also the appropriate sector size is used (based on the physical sector size). We use 4K on NVMe. Added benefit of using cryptsetup 2.4.x is that is uses Argon2id as PBKDF for LUKS2. We created a backport of cryptsetup 2.4.3 for use in Ubuntu Focal (based on Jammy) [2]. We are converting our whole cluster using LUKS2 with the work queues bypassed. For the nodes that have been converted already it works just fine. So, as multiple users seem to be waiting for this to be available in Ceph ... I should hurry up and make sure the PR gets in proper shape and merged in main. Gr. Stefan [1]: https://github.com/ceph/ceph/pull/49554 [2]: https://obit.bit.nl/ubuntu/focal/cryptsetup/ _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |