rgw supports the 3 flavors of S3 Server-Side Encryption, along with the PutBucketEncryption api for per-bucket default encryption. you can find the docs in https://docs.ceph.com/en/quincy/radosgw/encryption/
On Mon, May 22, 2023 at 10:49 AM huxia...@horebdata.cn <huxia...@horebdata.cn> wrote: > > Dear Alexander, > > Thanks a lot for helpful comments and insights. Regarding CephFS and RGW, Per > user seems to be daunting and complex. > > What if encryption on the server side without per user requirment? would it > be relatively easy to achieve, and how? > > best regards, > > Samuel > > > > > > huxia...@horebdata.cn > > From: Alexander E. Patrakov > Date: 2023-05-21 15:44 > To: huxia...@horebdata.cn > CC: ceph-users > Subject: Re: [ceph-users] Encryption per user Howto > Hello Samuel, > > On Sun, May 21, 2023 at 3:48 PM huxia...@horebdata.cn > <huxia...@horebdata.cn> wrote: > > > > Dear Ceph folks, > > > > Recently one of our clients approached us with a request on encrpytion per > > user, i.e. using individual encrytion key for each user and encryption > > files and object store. > > > > Does anyone know (or have experience) how to do with CephFS and Ceph RGW? > > For CephFS, this is unachievable. > > For RGW, please use Vault for storing encryption keys. Don't forget > about the proper high-availability setup. Use an AppRole to manage > tokens. Use Vault Agent as a proxy that adds the token to requests > issued by RGWs. Then create a bucket for each user and set the > encryption policy for this bucket using the PutBucketEncryption API > that is available through AWS CLI. Either SSE-S3 or SSE-KMS will work > for you. SSE-S3 is easier to manage. Each object will then be > encrypted using a different key derived from its name and a per-bucket > master key which never leaves Vault. > > Note that users will be able to create additional buckets by > themselves, and they won't be encrypted, so tell them either not to do > that or to encrypt the new buckets similarly. > > -- > Alexander E. Patrakov > > _______________________________________________ > ceph-users mailing list -- ceph-users@ceph.io > To unsubscribe send an email to ceph-users-le...@ceph.io _______________________________________________ ceph-users mailing list -- ceph-users@ceph.io To unsubscribe send an email to ceph-users-le...@ceph.io
