Re: [ceph-users] GDPR encryption at rest

[Vik Tara]

On 02/05/18 16:12, David Turner wrote:
> I've heard conflicting opinions if GDPR requires data to be encrypted
> at rest
Encryption both in transit and at rest is part of data protection by
design: it is about making sure that you have control over the data that
you hold/are processing and that if you lose physical control over the
storage medium (at rest) or the communication channel (in transit) that
you do not also have a loss of control (a data breach). Encrypted data,
whether it includes a personal data or not, is 'protected' secure data.

GDPR doesn't particularly describe encryption but the ICO guidance does
and in particular

"Where appropriate, you should look to use measures such as
pseudonymisation and encryption."

We're currently working on a Ceph based Document Management System with
object encryption which needs to comply with GDPR for users - and we're
opting for encrypting everything!

___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] GDPR encryption at rest

[Alfredo Deza]

On Thu, May 3, 2018 at 1:22 PM, David Turner  wrote:
> The process to create an encrypted bluestore OSD is very simple to make them
> utilize dmcrypt (literally just add --dmcrypt to the exact same command you
> would run normally to create the OSD).  The gotcha is that I had to find the
> option by using --help with ceph-volume from the cli.  I was unable to find
> any reference to it in the ceph docs online.
>
> I'm not sure where I would suggest putting it.  I searched for it through
> googling the terms and didn't find anything.  Hopefully this comes up in
> future searches and is helpful.

You are right, it seems that although we have the details at
http://docs.ceph.com/docs/master/ceph-volume/lvm/encryption/
we didn't actually update the flags in the prepare/activate/create sections.

I will make sure those are updated. Thanks for pointing this out.

>
> [1] ceph-volume --help
> ceph-volume lvm --help
> ceph-volume lvm create --help (ahh, there it is)
>
> On Wed, May 2, 2018 at 11:51 AM David Turner  wrote:
>>
>> At 'rest' is talking about data on it's own, not being accessed through an
>> application.  Encryption at rest is most commonly done by encrypting the
>> block device with something like dmcrypt.  It's anything that makes having
>> the physical disk useless without being able to decrypt it.  You can also
>> just encrypt a folder with sensitive information which would also be
>> encryption at rest.  Encryption not at rest would be like putting a secure
>> layer between the data and the users that access it, like HTTPS/SSL.
>>
>> On Wed, May 2, 2018 at 11:25 AM Alfredo Deza  wrote:
>>>
>>> On Wed, May 2, 2018 at 11:12 AM, David Turner 
>>> wrote:
>>> > I've heard conflicting opinions if GDPR requires data to be encrypted
>>> > at
>>> > rest, but enough of our customers believe that it is that we're looking
>>> > at
>>> > addressing it in our clusters.  I had a couple questions about the
>>> > state of
>>> > encryption in ceph.
>>> >
>>> > 1) My experience with encryption in Ceph is dmcrypt, is this still the
>>> > standard method or is there something new with bluestore?
>>>
>>> Standard, yes.
>>>
>>> > 2) Assuming dmcrypt is still the preferred option, is it fully
>>> > supported/tested in ceph-volume?  There were problems with this when
>>> > ceph-volume was initially released, but I believe those have been
>>> > resolved.
>>>
>>> It is fully supported, but only with LUKS. The initial release of
>>> ceph-volume didn't have dmcrypt support.
>>>
>>> > 3) Any other thoughts about encryption at rest?  I have an upgrade path
>>> > to
>>> > get to encryption (basically the same as getting to bluestore from
>>> > filestore).
>>>
>>> Not sure what you mean by 'rest'. The ceph-volume encryption would
>>> give you the same type of encryption that was provided by ceph-disk
>>> with the only "gotcha" being it is LUKS (plain is not supported for
>>> newly encrypted devices)
>>>
>>> >
>>> > Thanks for your comments.
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] GDPR encryption at rest

[David Turner]

The process to create an encrypted bluestore OSD is very simple to make
them utilize dmcrypt (literally just add --dmcrypt to the exact same
command you would run normally to create the OSD).  The gotcha is that I
had to find the option by using --help with ceph-volume from the cli.  I
was unable to find any reference to it in the ceph docs online.

I'm not sure where I would suggest putting it.  I searched for it through
googling the terms and didn't find anything.  Hopefully this comes up in
future searches and is helpful.

[1] ceph-volume --help
ceph-volume lvm --help
ceph-volume lvm create --help (ahh, there it is)

On Wed, May 2, 2018 at 11:51 AM David Turner  wrote:

> At 'rest' is talking about data on it's own, not being accessed through an
> application.  Encryption at rest is most commonly done by encrypting the
> block device with something like dmcrypt.  It's anything that makes having
> the physical disk useless without being able to decrypt it.  You can also
> just encrypt a folder with sensitive information which would also be
> encryption at rest.  Encryption not at rest would be like putting a secure
> layer between the data and the users that access it, like HTTPS/SSL.
>
> On Wed, May 2, 2018 at 11:25 AM Alfredo Deza  wrote:
>
>> On Wed, May 2, 2018 at 11:12 AM, David Turner 
>> wrote:
>> > I've heard conflicting opinions if GDPR requires data to be encrypted at
>> > rest, but enough of our customers believe that it is that we're looking
>> at
>> > addressing it in our clusters.  I had a couple questions about the
>> state of
>> > encryption in ceph.
>> >
>> > 1) My experience with encryption in Ceph is dmcrypt, is this still the
>> > standard method or is there something new with bluestore?
>>
>> Standard, yes.
>>
>> > 2) Assuming dmcrypt is still the preferred option, is it fully
>> > supported/tested in ceph-volume?  There were problems with this when
>> > ceph-volume was initially released, but I believe those have been
>> resolved.
>>
>> It is fully supported, but only with LUKS. The initial release of
>> ceph-volume didn't have dmcrypt support.
>>
>> > 3) Any other thoughts about encryption at rest?  I have an upgrade path
>> to
>> > get to encryption (basically the same as getting to bluestore from
>> > filestore).
>>
>> Not sure what you mean by 'rest'. The ceph-volume encryption would
>> give you the same type of encryption that was provided by ceph-disk
>> with the only "gotcha" being it is LUKS (plain is not supported for
>> newly encrypted devices)
>>
>> >
>> > Thanks for your comments.
>>
>
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] GDPR encryption at rest

[David Turner]

At 'rest' is talking about data on it's own, not being accessed through an
application.  Encryption at rest is most commonly done by encrypting the
block device with something like dmcrypt.  It's anything that makes having
the physical disk useless without being able to decrypt it.  You can also
just encrypt a folder with sensitive information which would also be
encryption at rest.  Encryption not at rest would be like putting a secure
layer between the data and the users that access it, like HTTPS/SSL.

On Wed, May 2, 2018 at 11:25 AM Alfredo Deza  wrote:

> On Wed, May 2, 2018 at 11:12 AM, David Turner 
> wrote:
> > I've heard conflicting opinions if GDPR requires data to be encrypted at
> > rest, but enough of our customers believe that it is that we're looking
> at
> > addressing it in our clusters.  I had a couple questions about the state
> of
> > encryption in ceph.
> >
> > 1) My experience with encryption in Ceph is dmcrypt, is this still the
> > standard method or is there something new with bluestore?
>
> Standard, yes.
>
> > 2) Assuming dmcrypt is still the preferred option, is it fully
> > supported/tested in ceph-volume?  There were problems with this when
> > ceph-volume was initially released, but I believe those have been
> resolved.
>
> It is fully supported, but only with LUKS. The initial release of
> ceph-volume didn't have dmcrypt support.
>
> > 3) Any other thoughts about encryption at rest?  I have an upgrade path
> to
> > get to encryption (basically the same as getting to bluestore from
> > filestore).
>
> Not sure what you mean by 'rest'. The ceph-volume encryption would
> give you the same type of encryption that was provided by ceph-disk
> with the only "gotcha" being it is LUKS (plain is not supported for
> newly encrypted devices)
>
> >
> > Thanks for your comments.
>
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] GDPR encryption at rest

[Alfredo Deza]

On Wed, May 2, 2018 at 11:12 AM, David Turner  wrote:
> I've heard conflicting opinions if GDPR requires data to be encrypted at
> rest, but enough of our customers believe that it is that we're looking at
> addressing it in our clusters.  I had a couple questions about the state of
> encryption in ceph.
>
> 1) My experience with encryption in Ceph is dmcrypt, is this still the
> standard method or is there something new with bluestore?

Standard, yes.

> 2) Assuming dmcrypt is still the preferred option, is it fully
> supported/tested in ceph-volume?  There were problems with this when
> ceph-volume was initially released, but I believe those have been resolved.

It is fully supported, but only with LUKS. The initial release of
ceph-volume didn't have dmcrypt support.

> 3) Any other thoughts about encryption at rest?  I have an upgrade path to
> get to encryption (basically the same as getting to bluestore from
> filestore).

Not sure what you mean by 'rest'. The ceph-volume encryption would
give you the same type of encryption that was provided by ceph-disk
with the only "gotcha" being it is LUKS (plain is not supported for
newly encrypted devices)

>
> Thanks for your comments.
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com