On Fri, Apr 29, 2023 at 7:52 AM Will Gorman <will.gorman(a)gmail.com> wrote:
Is there a way to enable the LUKS encryption format on a snapshot that was created from
an unencrypted image without losing data? I've seen in
https://docs.ceph.com/en/quincy/rbd/rbd-encryption/ that "Any data written to the
image prior to its format may become unreadable, though it may still occupy storage
resources." and observed that to be the case when running `encryption format` on an
image that already has data in it. However is there any way to take a snapshot of an
unencrypted image and enable encryption on the snapshot (or even on a new image cloned
from the snapshot?)
Hi Will,
Support for layered client-side encryption is coming in the Reef
release:
* RBD: Support for layered client-side encryption is
added. Cloned
images can now be encrypted each with its own encryption format and
passphrase, potentially different from that of the parent image. The
efficient copy-on-write semantics intrinsic to unformatted (regular)
cloned images are retained.
A full cluster upgrade won't be necessary to take advantage of it;
upgrading librbd on the client node should suffice.
The following
Any data written to the image prior to its format may
become
unreadable, though it may still occupy storage resources.
remains true but you would able to run "rbd encryption format" on a new
image cloned from the unencrypted snapshot. Some "rbd resize" commands
would need to be thrown in to allow for the added LUKS header: it might
feel somewhat fiddly but can be trivially scripted. See
https://docs.ceph.com/en/latest/rbd/rbd-encryption/
for details.
Thanks,
Ilya