Hi all,
jumping on this thread as we have requests for which per-client fs mount encryption makes
a lot of sense:
What kind of security to you want to achieve with
encryption keys stored
on the server side?
One of the use cases is if a user requests a share with encryption at rest. Since
encryption has an unavoidable performance impact, it is impractical to make 100% of users
pay for the requirements that only 1% of users really have. Instead of all-OSD back-end
encryption hitting everyone for little reason, encrypting only some user-buckets/fs-shares
on the front-end application level will ensure that the data is encrypted at rest.
It may very well not serve any other purpose, but these are requests we get. If I could
provide an encryption key to a ceph-fs kernel at mount time, this requirement could be
solved very elegantly on a per-user (request) basis and only making users who want it pay
with performance penalties.
Best regards,
=================
Frank Schilder
AIT Risø Campus
Bygning 109, rum S14
________________________________________
From: Robert Sander <r.sander(a)heinlein-support.de>
Sent: Tuesday, May 23, 2023 6:35 PM
To: ceph-users(a)ceph.io
Subject: [ceph-users] Re: Encryption per user Howto
On 23.05.23 08:42, huxiaoyu(a)horebdata.cn wrote:
Indeed, the question is on server-side encryption
with keys managed by ceph on a per-user basis
What kind of security to you want to achieve with encryption keys stored
on the server side?
Regards
--
Robert Sander
Heinlein Support GmbH
Linux: Akademie - Support - Hosting
http://www.heinlein-support.de
Tel: 030-405051-43
Fax: 030-405051-19
Zwangsangaben lt. §35a GmbHG:
HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin
_______________________________________________
ceph-users mailing list -- ceph-users(a)ceph.io
To unsubscribe send an email to ceph-users-leave(a)ceph.io