Re: Secure Setup / Separate GlusterFS / Encryption

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 02/26/2014 09:17 PM, Lance Reed wrote:

I was wondering if anyone has any working examples of the below
reference of setting up ecryptfs with Gluster?  My attempts so far have
failed to work correctly and I am looking to ee if it is actually an
option with the most recent versions of glusterfs?

Thanks in advance for any thoughts!
Slightly OT, The HekaFS encryption translator [1] has found its way into GlusterFS 3.5 beta releases. We expect the feature to be in beta for 3.5 but if you can evaluate it and let us know your feedback, that would be very helpful to us! 

-Vijay
[1] https://www.gluster.org/community/documentation/index.php/Features/disk-encryption 





Finally also on the topic of security how would people suggest handling
encryption of client data and working with a storage server hosting
different encrypted data


Server-side encryption is possible now, using mechanisms outside of*GlusterFS*
(e.g. LUKS or*ecryptfs*).  The weakness of such approaches is that the same
entity - the server operator - will have access to both the encrypted data and
keys.  In far too many cases, this means both will be equally available to an
attacker (or even more likely insider).  You might as well not bother
encrypting at all IMO.

A more robust solution was developed for HekaFS (my now-dormant flavor of
*GlusterFS*).  In that solution, encryption is done *on the client* using keys
that never exist on servers.  This provides both security and deniability,
either of which can be critical in current environments.  A medium-strength
version of this encryption has existed for about two years in HekaFS, though
enough has changed that it would probably require a refresh before it could
even build.  A stronger version - developed in concert with security experts at
Red Hat and on par with anything else that's out there - has been in review for
a while and might appear in the next*GlusterFS*  release or two.  Bear in mind
that even the "medium-strength" version is far more secure in practice than any
server-side encryption method.




_______________________________________________
Gluster-users mailing list
Gluster-users@xxxxxxxxxxx
http://supercolony.gluster.org/mailman/listinfo/gluster-users



_______________________________________________
Gluster-users mailing list
Gluster-users@xxxxxxxxxxx
http://supercolony.gluster.org/mailman/listinfo/gluster-users
[Index of Archives]     [Gluster Development]     [Linux Filesytems Development]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux