Re: [ceph-users] How to implement a rados plugin to encode/decode data while r/w

Wed, 28 May 2014 10:42:37 -0700 

On 5/27/14 19:44 , Plato wrote:
For certain security issue, I need to make sure the data finally saved to disk is encrypted. So, I'm trying to write a rados class, which would be triggered to reading and writing process. That is, before data is written, encrypting method of the class will be invoked; and then after data is readed, decrypting method of the class will be invoked. 


I checked the interfaces in objclass.h, and found that cls_link 
perhaps is what I need.
However, the interface not implemented yet. So, how to write such a 
rados plugin? Is it possible.


Plato


_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com



If you're looking for encryption at rest, can you use ceph-disk prepare 
--dmcrypt or ceph-deploy disk --dmcrypt ?



The encryption is top notch, but the actual security is a bit weak. The 
keys are stored unencrypted in /etc/ceph/dmcrypt-keys/, which allows the 
OSDs to start at boot without a pass-phrase.  If you're looking to check 
a box on your security auditor's form, it meets the requirements: The 
disk without the key is useless.



If you want stronger security (encrypted keys w/ pass-phrase on boot), 
the --dmcrypt arg just calls cryptsetup.  Open up your deployment tool 
of choice, and look at the innards.  It wouldn't be very hard to setup 
better security manually.  It will complicate reboots, but actual 
security does.



cryptsetup looks like only AES256 is compiled in Ubuntu.  If you need 
stronger crypto, I'm sure it's available with a bit more effort.



--

*Craig Lewis*
Senior Systems Engineer
Office +1.714.602.1309
Email cle...@centraldesktop.com <mailto:cle...@centraldesktop.com>

*Central Desktop. Work together in ways you never thought possible.*

Connect with us Website <http://www.centraldesktop.com/>  | Twitter 
<http://www.twitter.com/centraldesktop>  | Facebook 
<http://www.facebook.com/CentralDesktop>  | LinkedIn 
<http://www.linkedin.com/groups?gid=147417>  | Blog 
<http://cdblog.centraldesktop.com/>



_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com






















					Reply via email to