Bug 1397984 - [RFE] Ceph's At-Rest encryption features
Summary: [RFE] Ceph's At-Rest encryption features
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: Documentation
Version: 2.1
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: 2.2
Assignee: Bara Ancincova
QA Contact: Vasishta
URL:
Whiteboard:
Depends On:
Blocks: 1412948
TreeView+ depends on / blocked
 
Reported: 2016-11-23 18:09 UTC by Neil Levine
Modified: 2017-03-21 23:49 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
.Ansible now supports adding encrypted OSDs You can now use the `ceph-ansible` utility to add encrypted OSD nodes. For details on how to do it, see the https://access.redhat.com/documentation/en/red-hat-ceph-storage/2/single/installation-guide-for-red-hat-enterprise-linux/#configuring_ceph_osd_settings[Configuring Ceph OSD Settings] section in the Red Hat Ceph Storage 2 Installation Guide for Red Hat Enterprise Linux. For details on how this feature works, see the https://access.redhat.com/documentation/en/red-hat-ceph-storage/2/single/architecture-guide/#encryption-1[Encryption] chapter in the Architecture Guide for Red Hat Ceph Storage 2.
Clone Of:
Environment:
Last Closed: 2017-03-21 23:49:44 UTC


Attachments (Terms of Use)

Description Neil Levine 2016-11-23 18:09:18 UTC
We need to document the architecture and capabilities of Ceph's at-rest encryption feature. Topics to cover:

1. How dm-crypt works and how it benefits the admin/end-user.
2. How OSDs interact with dm-crypt during installation, initialization, etc
3. How keys are handled.

Comment 5 seb 2017-01-16 11:02:52 UTC
Alright, thanks for the clarification Neil. I thought this was documented already and the "at-rest" misled me.

Bara, answer below:

2. During the OSD installation, for a collocated scenario (journal and ceph data on the same disk), ceph-disk creates 3 partitions: "ceph data", "ceph journal" and a tiny " ceph lockbox" (10M). The lockbox partition holds a couple of files, such as the key used by the client.osd-lockbox user to retrieve LUKS private key. Both data and journal partitions are encrypted.

Later, cryptsetup sets up two dm-crypt devices in LUKS for both "ceph data" and "ceph journal" partitions. dm-crypt devices are identified by the respective partition guid of "ceph data" and "ceph journal".

3. LUKS Keys are stored in key/value store of the Ceph monitors. Each OSD has its own key. Those keys are used to "open" the dmcrypt device so that device can be accessed and the filesystem mounted.

Hope it's clear :).

Comment 6 seb 2017-01-16 11:25:48 UTC
Isn't this a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1325745?

Comment 9 seb 2017-01-16 14:31:04 UTC
Sounds good to me :)

Comment 11 seb 2017-01-17 10:43:38 UTC
Answering the questions here:

Question: do the partition names really include spaces? Shouldn’t it be ceph_data or ceph-data?

Yes they have space, these are partition labels.


Question: Is the client.osd-lockbox user a cephfx user? How does this work together? Does Ansible create that user?Question: How does this work when data and journal are on not collocated?

Yes it's a cephx user. ceph-disk creates the user. This is identical when there is a dedicated device for the journal, the journal partition gets encrypted as well. Same mechanism.

Question: what if I restart the encrypted OSD node? Am I going to be prompted for a password? How this is handled?

No password required for the restart the partition stays open.

Question: Do we have any recommended/best practices?

Best practices for?

Comment 13 seb 2017-01-18 13:41:15 UTC
Question: when do I need to list and access the keys? Do I need to copy them for example to a newly added monitor? What is the use case for this?

We don't need to do anything with those keys. This key is the LUKS key used to encrypt the device.

Question: Any recommendation/best practices? (Context: This comes from "Describe how to store dm-crypt keys (dmcrypt-key-dir) and any relevant guidelines/recommendations, etc." in the content plan

dm-crypt keys are stored on the monitors kv store so we are good.

Comment 15 seb 2017-01-18 13:46:26 UTC
Yes remove the list and get keys from the doc :)

Comment 17 seb 2017-01-19 10:25:09 UTC
LGTM, thanks Bara!

Comment 22 seb 2017-02-20 20:56:15 UTC
Bara, I removed the LUKS part which is not necessary. LGTM as is now.


Note You need to log in before you can comment on or make changes to this bug.