Hi Robert.
But this would still mean that the client encrypts the
data.
Yes and as far as I understood this would be fine for the original request as well. Maybe
this might sound confusing, but here is my terminology for that:
I don't count the RGW daemon as a storage server, in my terminology its a storage
gateway, which in itself is a client of the rados back-end store. Hence, I count
encryption on a gateway as client-sided. For RGW the natural place to have keys for such
encryption would be the gateway (which was called server-sided in an earlier e-mail),
while for cephfs if would be on the machine that does the actual FS mount.
For the kclient, this would be the host itself and when using ganesha, it would have to be
in the VFS config on the NFS gateway. All these I count under client-sided keys while
others might consider a gateway as server-sided. Note that client is not the same as
user.
The key point here is, that ordinary (end-) users will in none of these cases be aware of
the encryption or able to bypass it. It happens transparently. It is still on application
level and, therefore, can be applied selectively.
Best regards,
=================
Frank Schilder
AIT Risø Campus
Bygning 109, rum S14
________________________________________
From: Robert Sander <r.sander(a)heinlein-support.de>
Sent: Friday, May 26, 2023 1:29 PM
To: ceph-users(a)ceph.io
Subject: [ceph-users] Re: Encryption per user Howto
On 5/26/23 12:26, Frank Schilder wrote:
It may very well not serve any other purpose, but
these are requests we get. If I could provide an encryption key to a ceph-fs kernel at
mount time, this requirement could be solved very elegantly on a per-user (request) basis
and only making users who want it pay with performance penalties.
I understand this use case. But this would still mean that the client
encrypts the data. In your case the CephFS mount or with S3 the
rados-gateway.
Regards
--
Robert Sander
Heinlein Consulting GmbH
Schwedter Str. 8/9b, 10119 Berlin
https://www.heinlein-support.de
Tel: 030 / 405051-43
Fax: 030 / 405051-19
Amtsgericht Berlin-Charlottenburg - HRB 220009 B
Geschäftsführer: Peer Heinlein - Sitz: Berlin
_______________________________________________
ceph-users mailing list -- ceph-users(a)ceph.io
To unsubscribe send an email to ceph-users-leave(a)ceph.io