Re: [ceph-users] GDPR encryption at rest
On 02/05/18 16:12, David Turner wrote: > I've heard conflicting opinions if GDPR requires data to be encrypted > at rest Encryption both in transit and at rest is part of data protection by design: it is about making sure that you have control over the data that you hold/are processing and that if you lose physical control over the storage medium (at rest) or the communication channel (in transit) that you do not also have a loss of control (a data breach). Encrypted data, whether it includes a personal data or not, is 'protected' secure data. GDPR doesn't particularly describe encryption but the ICO guidance does and in particular "Where appropriate, you should look to use measures such as pseudonymisation and encryption." We're currently working on a Ceph based Document Management System with object encryption which needs to comply with GDPR for users - and we're opting for encrypting everything! ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] GDPR encryption at rest
On Thu, May 3, 2018 at 1:22 PM, David Turnerwrote: > The process to create an encrypted bluestore OSD is very simple to make them > utilize dmcrypt (literally just add --dmcrypt to the exact same command you > would run normally to create the OSD). The gotcha is that I had to find the > option by using --help with ceph-volume from the cli. I was unable to find > any reference to it in the ceph docs online. > > I'm not sure where I would suggest putting it. I searched for it through > googling the terms and didn't find anything. Hopefully this comes up in > future searches and is helpful. You are right, it seems that although we have the details at http://docs.ceph.com/docs/master/ceph-volume/lvm/encryption/ we didn't actually update the flags in the prepare/activate/create sections. I will make sure those are updated. Thanks for pointing this out. > > [1] ceph-volume --help > ceph-volume lvm --help > ceph-volume lvm create --help (ahh, there it is) > > On Wed, May 2, 2018 at 11:51 AM David Turner wrote: >> >> At 'rest' is talking about data on it's own, not being accessed through an >> application. Encryption at rest is most commonly done by encrypting the >> block device with something like dmcrypt. It's anything that makes having >> the physical disk useless without being able to decrypt it. You can also >> just encrypt a folder with sensitive information which would also be >> encryption at rest. Encryption not at rest would be like putting a secure >> layer between the data and the users that access it, like HTTPS/SSL. >> >> On Wed, May 2, 2018 at 11:25 AM Alfredo Deza wrote: >>> >>> On Wed, May 2, 2018 at 11:12 AM, David Turner >>> wrote: >>> > I've heard conflicting opinions if GDPR requires data to be encrypted >>> > at >>> > rest, but enough of our customers believe that it is that we're looking >>> > at >>> > addressing it in our clusters. I had a couple questions about the >>> > state of >>> > encryption in ceph. >>> > >>> > 1) My experience with encryption in Ceph is dmcrypt, is this still the >>> > standard method or is there something new with bluestore? >>> >>> Standard, yes. >>> >>> > 2) Assuming dmcrypt is still the preferred option, is it fully >>> > supported/tested in ceph-volume? There were problems with this when >>> > ceph-volume was initially released, but I believe those have been >>> > resolved. >>> >>> It is fully supported, but only with LUKS. The initial release of >>> ceph-volume didn't have dmcrypt support. >>> >>> > 3) Any other thoughts about encryption at rest? I have an upgrade path >>> > to >>> > get to encryption (basically the same as getting to bluestore from >>> > filestore). >>> >>> Not sure what you mean by 'rest'. The ceph-volume encryption would >>> give you the same type of encryption that was provided by ceph-disk >>> with the only "gotcha" being it is LUKS (plain is not supported for >>> newly encrypted devices) >>> >>> > >>> > Thanks for your comments. ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] GDPR encryption at rest
The process to create an encrypted bluestore OSD is very simple to make them utilize dmcrypt (literally just add --dmcrypt to the exact same command you would run normally to create the OSD). The gotcha is that I had to find the option by using --help with ceph-volume from the cli. I was unable to find any reference to it in the ceph docs online. I'm not sure where I would suggest putting it. I searched for it through googling the terms and didn't find anything. Hopefully this comes up in future searches and is helpful. [1] ceph-volume --help ceph-volume lvm --help ceph-volume lvm create --help (ahh, there it is) On Wed, May 2, 2018 at 11:51 AM David Turnerwrote: > At 'rest' is talking about data on it's own, not being accessed through an > application. Encryption at rest is most commonly done by encrypting the > block device with something like dmcrypt. It's anything that makes having > the physical disk useless without being able to decrypt it. You can also > just encrypt a folder with sensitive information which would also be > encryption at rest. Encryption not at rest would be like putting a secure > layer between the data and the users that access it, like HTTPS/SSL. > > On Wed, May 2, 2018 at 11:25 AM Alfredo Deza wrote: > >> On Wed, May 2, 2018 at 11:12 AM, David Turner >> wrote: >> > I've heard conflicting opinions if GDPR requires data to be encrypted at >> > rest, but enough of our customers believe that it is that we're looking >> at >> > addressing it in our clusters. I had a couple questions about the >> state of >> > encryption in ceph. >> > >> > 1) My experience with encryption in Ceph is dmcrypt, is this still the >> > standard method or is there something new with bluestore? >> >> Standard, yes. >> >> > 2) Assuming dmcrypt is still the preferred option, is it fully >> > supported/tested in ceph-volume? There were problems with this when >> > ceph-volume was initially released, but I believe those have been >> resolved. >> >> It is fully supported, but only with LUKS. The initial release of >> ceph-volume didn't have dmcrypt support. >> >> > 3) Any other thoughts about encryption at rest? I have an upgrade path >> to >> > get to encryption (basically the same as getting to bluestore from >> > filestore). >> >> Not sure what you mean by 'rest'. The ceph-volume encryption would >> give you the same type of encryption that was provided by ceph-disk >> with the only "gotcha" being it is LUKS (plain is not supported for >> newly encrypted devices) >> >> > >> > Thanks for your comments. >> > ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] GDPR encryption at rest
At 'rest' is talking about data on it's own, not being accessed through an application. Encryption at rest is most commonly done by encrypting the block device with something like dmcrypt. It's anything that makes having the physical disk useless without being able to decrypt it. You can also just encrypt a folder with sensitive information which would also be encryption at rest. Encryption not at rest would be like putting a secure layer between the data and the users that access it, like HTTPS/SSL. On Wed, May 2, 2018 at 11:25 AM Alfredo Dezawrote: > On Wed, May 2, 2018 at 11:12 AM, David Turner > wrote: > > I've heard conflicting opinions if GDPR requires data to be encrypted at > > rest, but enough of our customers believe that it is that we're looking > at > > addressing it in our clusters. I had a couple questions about the state > of > > encryption in ceph. > > > > 1) My experience with encryption in Ceph is dmcrypt, is this still the > > standard method or is there something new with bluestore? > > Standard, yes. > > > 2) Assuming dmcrypt is still the preferred option, is it fully > > supported/tested in ceph-volume? There were problems with this when > > ceph-volume was initially released, but I believe those have been > resolved. > > It is fully supported, but only with LUKS. The initial release of > ceph-volume didn't have dmcrypt support. > > > 3) Any other thoughts about encryption at rest? I have an upgrade path > to > > get to encryption (basically the same as getting to bluestore from > > filestore). > > Not sure what you mean by 'rest'. The ceph-volume encryption would > give you the same type of encryption that was provided by ceph-disk > with the only "gotcha" being it is LUKS (plain is not supported for > newly encrypted devices) > > > > > Thanks for your comments. > ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] GDPR encryption at rest
On Wed, May 2, 2018 at 11:12 AM, David Turnerwrote: > I've heard conflicting opinions if GDPR requires data to be encrypted at > rest, but enough of our customers believe that it is that we're looking at > addressing it in our clusters. I had a couple questions about the state of > encryption in ceph. > > 1) My experience with encryption in Ceph is dmcrypt, is this still the > standard method or is there something new with bluestore? Standard, yes. > 2) Assuming dmcrypt is still the preferred option, is it fully > supported/tested in ceph-volume? There were problems with this when > ceph-volume was initially released, but I believe those have been resolved. It is fully supported, but only with LUKS. The initial release of ceph-volume didn't have dmcrypt support. > 3) Any other thoughts about encryption at rest? I have an upgrade path to > get to encryption (basically the same as getting to bluestore from > filestore). Not sure what you mean by 'rest'. The ceph-volume encryption would give you the same type of encryption that was provided by ceph-disk with the only "gotcha" being it is LUKS (plain is not supported for newly encrypted devices) > > Thanks for your comments. ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com