Hello Ceph-Users,
I have a question regarding support for any client side encryption in
the Cloud Sync Module for RGW
(https://docs.ceph.com/en/latest/radosgw/cloud-sync-module/).
While a "regular" multi-site setup
(https://docs.ceph.com/en/latest/radosgw/multisite/) is usually syncing
data between Ceph clusters, RGWs and other supporting
infrastructure in the same administrative domain this might be different
when looking at cloud sync.
One could setup a sync to e.g. AWS S3 or any other compatible S3
implementation that is provided as a service and by another provider.
1) I was wondering if there is any transparent way to apply client side
encryption to those objects that are sent to the remote service?
Even something the likes of a single static key (see
https://github.com/ceph/ceph/blob/1c9e84a447bb628f2235134f8d54928f7d6b7796/doc/radosgw/encryption.rst#automatic-encryption-for-testing-only)
would protect against the remote provider being able to look at the data.
2) What happens to objects that are encrypted on the source RGW and via
SSE-S3? (https://docs.ceph.com/en/quincy/radosgw/encryption/#sse-s3)
I suppose those remain encrypted? But this does require users to
actively make use of SSE-S3, right?
Thanks again with kind regards,
Christian
_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io
