I was wondering if anyone has any working examples of the below reference of setting up ecryptfs with Gluster? My attempts so far have failed to work correctly and I am looking to ee if it is actually an option with the most recent versions of glusterfs?
Thanks in advance for any thoughts!> Finally also on the topic of security how would people suggest handling > encryption of client data and working with a storage server hosting > different encrypted data Server-side encryption is possible now, using mechanisms outside of GlusterFS (e.g. LUKS or ecryptfs). The weakness of such approaches is that the same entity - the server operator - will have access to both the encrypted data and keys. In far too many cases, this means both will be equally available to an attacker (or even more likely insider). You might as well not bother encrypting at all IMO. A more robust solution was developed for HekaFS (my now-dormant flavor of GlusterFS). In that solution, encryption is done *on the client* using keys that never exist on servers. This provides both security and deniability, either of which can be critical in current environments. A medium-strength version of this encryption has existed for about two years in HekaFS, though enough has changed that it would probably require a refresh before it could even build. A stronger version - developed in concert with security experts at Red Hat and on par with anything else that's out there - has been in review for a while and might appear in the next GlusterFS release or two. Bear in mind that even the "medium-strength" version is far more secure in practice than any server-side encryption method.
_______________________________________________ Gluster-users mailing list Gluster-users@xxxxxxxxxxx http://supercolony.gluster.org/mailman/listinfo/gluster-users
