Open pankaj-mandal opened 2 months ago
The Ceph-CSI project provides a CSI driver that a Container Platform like Kubernetes can use to create/delete volumes for application usage. The encryption that Ceph-CSI sets up is client-side, per volume. Ceph-CSI does not manage the Ceph cluster and OSDs. A project like Rook focuses on that.
For your case, you may want to check the Ceph documentation about encryption.
The Ceph-CSI project provides a CSI driver that a Container Platform like Kubernetes can use to create/delete volumes for application usage. The encryption that Ceph-CSI sets up is client-side, per volume. Ceph-CSI does not manage the Ceph cluster and OSDs. A project like Rook focuses on that.
For your case, you may want to check the Ceph documentation about encryption.
Thanks for the update, I have enabled server side encryption as per the link you mentioned in Ceph documentation. I had earlier looked at examples in the git repo and it looked like encryption could be done using ceph-csi
I also noticed that even if I set the key "encrypted" to "false" in storageclass, the pvc will not bind. I have to remove that entry completely or comment it out. Also I have to remove the encryptionPassphrase from the secret.yaml or comment it out. Also the namespace in the examples is default but the namespace needed is ceph-csi-cephfs. I am assuming that with this and server side encryption enabled, there is nothing additional to be done in ceph csi as far as encryption of data at rest is concerned.
I did look at using Rook originally but eventually decided to deploy ceph as per ceph documentation. Will try Rook another time.
@pankaj-mandal there are 2 types of encryption
secure
or CRC
to connect to the ceph cluster and do all operations of secure port 3300You need to decide on what exact encryption you are looking for
@pankaj-mandal there are 2 types of encryption
- Server-side encryption , where you will enable encryption on the ceph cluster and update csi to use the specific encryption method
secure
orCRC
to connect to the ceph cluster and do all operations of secure port 3300- The second option is PV encryption where cephcsi will encrypt all the cephfs (its still in alpha state and not much tested and RBD PVC's created
You need to decide on what exact encryption you are looking for
This is what I did
ceph-volume lvm prepare --data /dev/sdb --dmcrypt
ceph-volume lvm activate activate 0 <osd-uuid>
and repeated the above for different values of --data
and <osd-uuid>
and that has enabled encryption for object stores in my ceph cluster. On the client side I removed the entries for encryptionPassphrase
and encrypted
in the secret and storageclass. Seems to work, although I would like to have a way to see the encrypted files on the disk.
The way you have setup encryption is on the OSD side, where the Ceph cluster stores its objects for the files and RBD-images. By inspecting the contents of the LogicalVolume, you have access to the unencrypted objects. It is just not trivial to select and combine the objects that present a single file. The format is Ceph specific, and not meant for humans to interact with it.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
Describe the bug
I have been trying to enable encryption for ceph-csi, one of the requirements is to enable fscrypt for the ceph storage. However the ceph osd stores use LVM and fscrypt uses ext4 and few others but not LVM so encryption cannot be enabled on the LVM devices.
Environment details
fuse
orkernel
. for rbd itskrbd
orrbd-nbd
) : kernelSteps to reproduce
Steps to reproduce the behavior:
ceph cluster is deployed and cephfs, pools, osd's are configured. The cluster is healthy.
ceph-csi is installed on another node using helm charts. All pods are up and running
I have encryption set to false at this point in the storageclass. However if I enable encryption in storageclass, it will give an error in the demo pod i.e. the error is something like
Deployment to trigger the issue '....' I have encryption set to false at this point in the storageclass. However if I enable encryption in storageclass, it will give an error in the demo pod
See error
Actual results
I guess it is because fscrypt is not enabled in the storage i.e. on the server side. If I look at the volumes on server side. I see
The devices sdb, sdc and sdd need to be encrypted. However the LVM cannot be encrypted using fscrypt as it is not supported by fscrypt