From: Joshua Schmid <jschmid@suse.de>
To: Sage Weil <sage@newdream.net>
Cc: ceph-devel@vger.kernel.org
Subject: Re: Proposal: data-at-rest encryption
Date: Thu, 27 Aug 2015 10:46:30 +0200 [thread overview]
Message-ID: <55DECE66.5000505@suse.de> (raw)
In-Reply-To: <alpine.DEB.2.00.1508261744370.13116@cobra.newdream.net>
On 08/27/2015 02:49 AM, Sage Weil wrote:
> Hi Joshua!
>
Hi Sage,
> Overall the ceph-disk changes look pretty good, and it looks like Andrew
> and David have both reviewed. My only real concern/request is that the
> key server be as pluggable as possible. You're using ftps here, but we'd
> also like to allow deo[1], or even the mon config-key service.
Thank for having a look!
I think this should do:
https://github.com/jschmid1/ceph/commit/7dd64c70bcb8d986568d6f379a6fbf9a0e40a441
Service of choice can now be set in the ceph.conf and will be handled
separately. This is currently only for unlocking/mapping but will be
extended for locking/new if this solution is acceptable.
>
> With the original mon proposal, we also wanted an additional layer of
> security (beyond simply access to the storage network) by
> storing some key-fetching-key on the disk.
Like deo does it? (From the deo README)
"""
Second, we will add a new random key to the pre-existing LUKS encrypted
disk and then encrypt it using Deo in a known location.
"""
It looks like the ftps
> access is unauthenticated... is that right? I would assume (I'm not hte
> expert!) that most key management systems require some credentials to
> store/fetch keys?
Its totally unauthenticated, thats right. It'd be possible to require
USER/PASS for ftp.
>
> sage
>
--
Freundliche Grüße - Kind regards,
Joshua Schmid
Trainee - Storage
SUSE Linux GmbH - Maxfeldstr. 5 - 90409 Nürnberg
--------------------------------------------------------------------------------------------------------------------
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard,
Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg)
--------------------------------------------------------------------------------------------------------------------
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2015-08-27 8:44 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-24 9:16 Proposal: data-at-rest encryption Joshua Schmid
2015-08-27 0:49 ` Sage Weil
2015-08-27 8:46 ` Joshua Schmid [this message]
2015-08-27 13:38 ` Sage Weil
2015-08-28 8:03 ` Joshua Schmid
[not found] ` <CAFdRU70jHtfh84zzAnyffvEpqFHAQ1=413Xok_gxpBcVX1NhKw@mail.gmail.com>
2015-08-28 8:11 ` Joshua Schmid
2015-08-28 12:29 ` Shinobu Kinjo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55DECE66.5000505@suse.de \
--to=jschmid@suse.de \
--cc=ceph-devel@vger.kernel.org \
--cc=sage@newdream.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.