experimental dmcrypt support

experimental dmcrypt support

[Sage Weil]

Alexandre and I have been working on adding basic dm-crypt support to 
ceph-disk-prepare/activate.  At this point it is working reasonably well, 
but before we move forward I thought I'd see if anyone has 
feedback/comments on the implementation.

The initial goals are very simple: transparently dm-crypt the volumes for 
the osd data and journal befor we use them, and store the keys somewhere 
on the local host (currently /etc/ceph/dmcrypt-keys).  Eventually we'll 
want to something more sophisticated there--there is a whole industry to 
supprot key management and compliance for this sort of thing--but slotting 
that in later should be pretty simple.

For now, the basic process looks like this:

 ceph-disk-prepare --dmcrypt DATADISK [JOURNALDISK]

When --dmcrypt is passed, we generate a unique UUID for the data and 
journal both (the data one matches the OSD uuid), and label the 
GPT partitions.  We also set the type to special "dmcrypted osd" and 
"dmcrypted journal" types.  The dm-crypt mapped devices appear in 
/dev/mapper/$UUID, so the journal symlink inside the data dir of the 
data volume points there.  Keys are stored in 
/etc/ceph/dmcrypt-keys/$UUID.

Normally, to activate an OSD, a udev rule triggres on teh osd partition 
type and runs ceph-disk-active.  In this case, it's slightly more 
complicated.  A udev rule triggers on the encrypted journal partition type 
and starts dm-crypt (using the key in /etc/ceph/...).  For the encrypted 
osd partition, we first start dm-crypt, then run ceph-disk-activate on the 
resulting /dev/mapper/$UUID volume.

That's basically it.  Leveraging udev makes this pretty simple, and should 
be portable to any distro (vs, say, using upstart events to do the same 
steps).

Later, we may want to add some super-simple key management so that the 
keys are stored on the monitor instead of in a local directory, but for 
some users at least this is sufficient (where the concern is really about 
disposal of disks).

See wip-dmcrypt in ceph.git to take a look.

Thanks!
sage

Re: experimental dmcrypt support

[Loic Dachary]

[-- Attachment #1: Type: text/plain, Size: 2719 bytes --]

Hi,

Are you aware of the current efforts to support volume encryption in OpenStack ?

http://lists.openstack.org/pipermail/openstack-dev/2013-February/005317.html
https://blueprints.launchpad.net/nova/+spec/encrypt-cinder-volumes

My 2cts ;-)

On 02/15/2013 02:57 AM, Sage Weil wrote:
> Alexandre and I have been working on adding basic dm-crypt support to 
> ceph-disk-prepare/activate.  At this point it is working reasonably well, 
> but before we move forward I thought I'd see if anyone has 
> feedback/comments on the implementation.
> 
> The initial goals are very simple: transparently dm-crypt the volumes for 
> the osd data and journal befor we use them, and store the keys somewhere 
> on the local host (currently /etc/ceph/dmcrypt-keys).  Eventually we'll 
> want to something more sophisticated there--there is a whole industry to 
> supprot key management and compliance for this sort of thing--but slotting 
> that in later should be pretty simple.
> 
> For now, the basic process looks like this:
> 
>  ceph-disk-prepare --dmcrypt DATADISK [JOURNALDISK]
> 
> When --dmcrypt is passed, we generate a unique UUID for the data and 
> journal both (the data one matches the OSD uuid), and label the 
> GPT partitions.  We also set the type to special "dmcrypted osd" and 
> "dmcrypted journal" types.  The dm-crypt mapped devices appear in 
> /dev/mapper/$UUID, so the journal symlink inside the data dir of the 
> data volume points there.  Keys are stored in 
> /etc/ceph/dmcrypt-keys/$UUID.
> 
> Normally, to activate an OSD, a udev rule triggres on teh osd partition 
> type and runs ceph-disk-active.  In this case, it's slightly more 
> complicated.  A udev rule triggers on the encrypted journal partition type 
> and starts dm-crypt (using the key in /etc/ceph/...).  For the encrypted 
> osd partition, we first start dm-crypt, then run ceph-disk-activate on the 
> resulting /dev/mapper/$UUID volume.
> 
> That's basically it.  Leveraging udev makes this pretty simple, and should 
> be portable to any distro (vs, say, using upstart events to do the same 
> steps).
> 
> Later, we may want to add some super-simple key management so that the 
> keys are stored on the monitor instead of in a local directory, but for 
> some users at least this is sufficient (where the concern is really about 
> disposal of disks).
> 
> See wip-dmcrypt in ceph.git to take a look.
> 
> Thanks!
> sage
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

-- 
Loïc Dachary, Artisan Logiciel Libre


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]