Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 2373703

Summary: cephadm support for NFS BYOK
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Adam King <adking>
Component: CephadmAssignee: Adam King <adking>
Status: CLOSED ERRATA QA Contact: Manisha Saini <msaini>
Severity: high Docs Contact: Rivka Pollack <rpollack>
Priority: unspecified    
Version: 8.1CC: cephqe-warriors, hyelloji, msaini, rpollack, shbhosal
Target Milestone: ---   
Target Release: 8.1z1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-19.2.1-224 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2389164 (view as bug list) Environment:
Last Closed: 2025-08-18 14:01:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2389164    

Description Adam King 2025-06-18 13:58:44 UTC 
BZ to track the cephadm support for NFS BYOK. Copying the content from the Jira ticket (https://jsw.ibm.com/browse/ISCE-2129)

Many industries now require highest level of information security. We need to protect our users against information / data theft by providing encryption capabilities for NFS shares/exports. Encryption could be managed centrally by an administrator or directly by the user with a user provided encryption key.

User Stories
As an administrator I want to make sure that the users of my FSaaS services can rely on me protecting their data by encryption per NFS-export so that no other users/tenants can see anyone elses data. Each tenant would get their own NFS-export and each export would be encrypted with a different encryption key.
As an administrator I want to manage my encryption keys with a industry standard KMS like e.g. Hashicorp
As an administrator I want to be able to mount encrypted shares and take incremental backups of them, and restore those snapshots as needed (without ever decrypting)
this means defining a file format for those incremental diffs, to be clear
As an integrator, I want to be able to set up encrypted subvolumes, query libcephfs about if a particular directory needs an encryption key, and identify the name of that key so I can provide it from an existing KMS
As a user I want to be able to bring my own encryption keys and encrypt my own data per share or even per directory
Comment 1 Storage PM bot 2025-06-18 13:59:00 UTC 
Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.
Comment 7 errata-xmlrpc 2025-08-18 14:01:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 8.1 security and bug fix updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2025:14015