Re: experimental dmcrypt support

[Loic Dachary <loic@dachary.org>]

[-- Attachment #1: Type: text/plain, Size: 2719 bytes --]

Hi,

Are you aware of the current efforts to support volume encryption in OpenStack ?

http://lists.openstack.org/pipermail/openstack-dev/2013-February/005317.html
https://blueprints.launchpad.net/nova/+spec/encrypt-cinder-volumes

My 2cts ;-)

On 02/15/2013 02:57 AM, Sage Weil wrote:
> Alexandre and I have been working on adding basic dm-crypt support to 
> ceph-disk-prepare/activate.  At this point it is working reasonably well, 
> but before we move forward I thought I'd see if anyone has 
> feedback/comments on the implementation.
> 
> The initial goals are very simple: transparently dm-crypt the volumes for 
> the osd data and journal befor we use them, and store the keys somewhere 
> on the local host (currently /etc/ceph/dmcrypt-keys).  Eventually we'll 
> want to something more sophisticated there--there is a whole industry to 
> supprot key management and compliance for this sort of thing--but slotting 
> that in later should be pretty simple.
> 
> For now, the basic process looks like this:
> 
>  ceph-disk-prepare --dmcrypt DATADISK [JOURNALDISK]
> 
> When --dmcrypt is passed, we generate a unique UUID for the data and 
> journal both (the data one matches the OSD uuid), and label the 
> GPT partitions.  We also set the type to special "dmcrypted osd" and 
> "dmcrypted journal" types.  The dm-crypt mapped devices appear in 
> /dev/mapper/$UUID, so the journal symlink inside the data dir of the 
> data volume points there.  Keys are stored in 
> /etc/ceph/dmcrypt-keys/$UUID.
> 
> Normally, to activate an OSD, a udev rule triggres on teh osd partition 
> type and runs ceph-disk-active.  In this case, it's slightly more 
> complicated.  A udev rule triggers on the encrypted journal partition type 
> and starts dm-crypt (using the key in /etc/ceph/...).  For the encrypted 
> osd partition, we first start dm-crypt, then run ceph-disk-activate on the 
> resulting /dev/mapper/$UUID volume.
> 
> That's basically it.  Leveraging udev makes this pretty simple, and should 
> be portable to any distro (vs, say, using upstart events to do the same 
> steps).
> 
> Later, we may want to add some super-simple key management so that the 
> keys are stored on the monitor instead of in a local directory, but for 
> some users at least this is sufficient (where the concern is really about 
> disposal of disks).
> 
> See wip-dmcrypt in ceph.git to take a look.
> 
> Thanks!
> sage
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

-- 
Loïc Dachary, Artisan Logiciel Libre


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]