How to change encryptionPassphrase after RBD is encrypted

ceph / ceph-csi

CSI driver for Ceph

Apache License 2.0

1.27k stars 536 forks source link

How to change encryptionPassphrase after RBD is encrypted #3298

Open fanchenxu-ship opened 2 years ago

fanchenxu-ship commented 2 years ago

Dear. According to the security requirements, the encrypted key needs to be modified periodically, and there seems to be no relevant function in the rook ceph? How should I get to modify encryptionPassphrase?

myconfig:

user-ns-secrets-metadata-test: |- { "encryptionKMSType": "metadata", "secretName": "storage-encryption-secret", "secretNamespace": "default" }

github-actions[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.

github-actions[bot] commented 2 years ago

This issue has been automatically closed due to inactivity. Please re-open if this still requires investigation.

nixpanic commented 2 years ago

This can not (easily) be done at the moment. It requires you to manually modify several things:

change the LUKS passphrase when the RBD-image is attached to a node
update the encrypted passphrase in the KMS or image metadata

We do want to have this as a feature, but there is no design for it yet. Possibly this will be added through a new CSI Addons procedure.