The process to create an encrypted bluestore OSD is very simple to make them utilize dmcrypt (literally just add --dmcrypt to the exact same command you would run normally to create the OSD). The gotcha is that I had to find the option by using --help with ceph-volume from the cli. I was unable to find any reference to it in the ceph docs online.
I'm not sure where I would suggest putting it. I searched for it through googling the terms and didn't find anything. Hopefully this comes up in future searches and is helpful. [1] ceph-volume --help ceph-volume lvm --help ceph-volume lvm create --help (ahh, there it is) On Wed, May 2, 2018 at 11:51 AM David Turner <[email protected]> wrote: > At 'rest' is talking about data on it's own, not being accessed through an > application. Encryption at rest is most commonly done by encrypting the > block device with something like dmcrypt. It's anything that makes having > the physical disk useless without being able to decrypt it. You can also > just encrypt a folder with sensitive information which would also be > encryption at rest. Encryption not at rest would be like putting a secure > layer between the data and the users that access it, like HTTPS/SSL. > > On Wed, May 2, 2018 at 11:25 AM Alfredo Deza <[email protected]> wrote: > >> On Wed, May 2, 2018 at 11:12 AM, David Turner <[email protected]> >> wrote: >> > I've heard conflicting opinions if GDPR requires data to be encrypted at >> > rest, but enough of our customers believe that it is that we're looking >> at >> > addressing it in our clusters. I had a couple questions about the >> state of >> > encryption in ceph. >> > >> > 1) My experience with encryption in Ceph is dmcrypt, is this still the >> > standard method or is there something new with bluestore? >> >> Standard, yes. >> >> > 2) Assuming dmcrypt is still the preferred option, is it fully >> > supported/tested in ceph-volume? There were problems with this when >> > ceph-volume was initially released, but I believe those have been >> resolved. >> >> It is fully supported, but only with LUKS. The initial release of >> ceph-volume didn't have dmcrypt support. >> >> > 3) Any other thoughts about encryption at rest? I have an upgrade path >> to >> > get to encryption (basically the same as getting to bluestore from >> > filestore). >> >> Not sure what you mean by 'rest'. The ceph-volume encryption would >> give you the same type of encryption that was provided by ceph-disk >> with the only "gotcha" being it is LUKS (plain is not supported for >> newly encrypted devices) >> >> > >> > Thanks for your comments. >> >
_______________________________________________ ceph-users mailing list [email protected] http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
