Re: on disk encryption

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Mark Nelson <mark.nelson@inktank.com>
To: Sage Weil <sage@inktank.com>
Cc: ceph-devel@vger.kernel.org, dustin.kirkland@gmail.com
Subject: Re: on disk encryption
Date: Sat, 15 Sep 2012 07:22:22 -0500	[thread overview]
Message-ID: <505472FE.7030602@inktank.com> (raw)
In-Reply-To: <alpine.DEB.2.00.1209150428490.16190@cobra.newdream.net>

On 09/15/2012 06:54 AM, Sage Weil wrote:
> Hey,
>
> A common requirement that's come up in conversation a few times now is
> on-disk, at-rest encryption.  Usually, this is really just about making
> sure the bits on an individual disk are useless in isolation, so that
> drives can be safely discarded or RMAed without compromising customer
> data.
>
> I suspect the simplest way to accomplish this would be through something
> like dm-crypt.  The trick would be keeping the keys for the osd's block
> device and journal elsewhere.
>

Sounds good to me.  dm-crypt can use AES-NI which seems to help out a 
lot of the CPU usage front.  It'd be nice to make sure it works.

> One option would be to use the monitor as a lock box to securely store the
> disk encryption key, secured by the osd's existing cephx key is provided.
> The startup scripts (triggered via upstart, sysvinit, whatever) would need
> to get the keyring off the disk (separate, unencrypted partition?), get
> the disk key from the monitor, set up the dm-crypt devices, mount the
> osd's fs, and then start ceph-osd.  An attacker in possession of a
> recovered disk would be need network connectivity to the cluster (prior to
> the keys getting revoked/destroyed) in order to decrypt it.
>
> Looking forward, another option might be to implement encryption inside
> btrfs (placeholder fields are there in the disk format, introduced along
> with the compression code way back when).  This would let ceph-osd handle
> more of the key handling internally and do something like, say, only
> encrypt the current/ and snap_*/ subdirectories.
>

Sounds like this would make our code paths for btrfs and other 
filesystems diverge more rather than less.  I like the idea of not 
making our startup scripts that much more complicated, but what we end 
up doing for xfs and others?  Would we end up having to do the startup 
script path anyway or not support encryption on those FS?

> Other ideas?  Thoughts?
>
> sage
>
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

next prev parent reply	other threads:[~2012-09-15 12:22 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-09-15 11:54 on disk encryption Sage Weil
2012-09-15 12:22 ` Mark Nelson [this message]
2012-09-19  1:53 ` Dustin Kirkland
2012-12-10  9:17   ` James Page
2012-12-10 15:53     ` Gregory Farnum
2013-01-22 21:28       ` James Page
     [not found]         ` <CAEgPQZDqUK+MJTX3Kbpdv3ai4=5rNCrGkxi=ioLt5OzC+zi4+Q@mail.gmail.com>
2013-01-23  0:02           ` Sage Weil
2013-01-23  0:04         ` Sage Weil
2013-01-31 23:42           ` Marcus Sorensen
2013-02-01  0:04             ` Mark Kampe
2013-02-01  0:16               ` Marcus Sorensen
2013-02-01  0:44             ` Sage Weil
2013-02-01  0:57               ` Neil Levine
2013-02-01 15:37                 ` Christian Brunner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=505472FE.7030602@inktank.com \
    --to=mark.nelson@inktank.com \
    --cc=ceph-devel@vger.kernel.org \
    --cc=dustin.kirkland@gmail.com \
    --cc=sage@inktank.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.