Bug 1537538

Summary: [Docs] Update RHCS 3.0 docs to support object encryption
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: khartsoe <khartsoe>
Component: DocumentationAssignee: ceph-docs <ceph-docs>
Documentation sub component: Administration Guide QA Contact: Tejas <tchandra>
Status: CLOSED WONTFIX Docs Contact:
Severity: high    
Priority: unspecified CC: asriram, flucifre, hyelloji, jowilkin, kdreyer, vereddy
Version: 3.0   
Target Milestone: z1   
Target Release: Backlog   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 15:28:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description khartsoe@redhat.com 2018-01-23 13:28:52 UTC 
Description of problem:

please get the admin guide fixed now that we support object
granular encryotion in RHCS 3.0. I looked at the pdf and page 44 states
this :

" Further, Ceph does not include options to encrypt user data in the
object store. Users can hand-encrypt and store their own data in the Ceph
object store, of course, but
Ceph provides no features to perform object encryption itself. Those
storing sensitive data in Ceph
should consider encrypting their data before providing it to the Ceph
system."

This section can now be removed and a pointer created to the object
encryption capability  in ceph that we now support in 3.0.

Version-Release number of selected component (if applicable):

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3/html-single/administration_guide/#limitations

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
I've seen differing info about object encryption in several official
documentation like e.g.
- RHCS 3.0 Release Notes, RHCS 3.0 Developer Guide which state the we
support server side object encryption
- RHCS 3.0 Admin Guide (page 47) which states the opposite
- Roadmap which mentions user encryption

Can you please have a look at various official docs, clarify what is
actually supported and have somebody fix the information in all the docs.

thanks & regards
Gerald

Gerald Sternagl
Comment 3 John Wilkins 2018-01-30 17:04:08 UTC 
I removed misleading language and provided a concrete example with the S3 server side encryption feature. I was not able to find any general purpose encryption with librados. If that is available, I require additional information. 

https://gitlab.cee.redhat.com/red-hat-ceph-storage-documentation/doc-Red_Hat_Ceph_Storage_3-Administration_Guide/commit/4e14a68ffca4897a8457b1380a10c01ab922da78
Comment 6 Federico Lucifredi 2018-02-15 17:24:54 UTC 
Hi John,
 The general-purpose encryption is by setup of dmcrypt underneath the OSD. The Annsible tooling and ceph-volume should cover this neatly.

Thanks!
Comment 7 John Brier 2019-01-22 23:39:36 UTC 
Federico,

We already have info in the Architecture Guide on how encryption in Ceph works, but it references ceph-disk instead of ceph-volume:

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3/html-single/architecture_guide/index#concept-arch-encryption-arch

I assume we need to update that to reference ceph-volume since I believe that is used now [1].

Do other changes need to be made there?

The architecture guide says to go to the following URL for instructions to set up encryption:

I note the dmcrypt osd.yml setting is in Table 3.2:

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3/html-single/installation_guide_for_red_hat_enterprise_linux/#installing-a-red-hat-ceph-storage-cluster

Is that enough information in our docs to cover setting up encryption via Ansible?

1) http://docs.ceph.com/docs/luminous/ceph-volume/lvm/encryption/
Comment 8 Giridhar Ramaraju 2019-08-05 13:06:31 UTC 
Updating the QA Contact to a Hemant. Hemant will be rerouting them to the appropriate QE Associate. 

Regards,
Giri
Comment 9 Giridhar Ramaraju 2019-08-05 13:09:10 UTC 
Updating the QA Contact to a Hemant. Hemant will be rerouting them to the appropriate QE Associate. 

Regards,
Giri
Comment 10 Giridhar Ramaraju 2019-08-20 07:17:15 UTC 
Level setting the severity of this defect to "High" with a bulk update. Pls
refine it to a more closure value, as defined by the severity definition in
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity