Encryption

Encryption protects data confidentiality both in transit and at rest:

In transit

  • Messenger v2: Configure Ceph internal communication (between MON, OSD, MGR, MDS) to use secure mode, encrypting traffic.
  • TLS at RGW: Essential for encrypting S3/Swift traffic between clients and the RGW. Use strong TLS protocols (TLS 1.2+) and ciphers. Obtain certificates from a trusted CA or manage an internal PKI. Configure via Juju relations or charm options.
  • Ceph Dashboard HTTPS: The dashboard uses HTTPS by default. Ensure the certificate is valid and trusted.
  • Juju Communication: Juju controller-agent communication is secured with TLS automatically.

At rest

  • OSD Encryption (via LUKS): Ceph supports encrypting data stored on OSDs using LUKS. This protects data if physical drives are stolen. Charmed Ceph allows enabling OSD encryption during deployment (osd-encrypt option). Key management for LUKS needs to be handled carefully.
  • Full Disk Encryption (FDE): Consider encrypting the entire host OS disk, especially for MON nodes holding cluster maps and keys, and RGW nodes potentially caching data. This adds another layer of protection against physical access, managed at the OS level.

Full disk encryption

Charmed Ceph supports automatic full disk encryption (FDE) on OSDs.

Full disk encryption is a security measure that protects the data on a storage device by encrypting all the information on the disk. FDE helps maintain data confidentiality in case the disk is lost or stolen by rendering the data inaccessible without the correct decryption key or password.

In the event of disk loss or theft, unauthorised individuals are unable to access the encrypted data, as the encryption renders the information unreadable without the proper credentials. This helps prevent data breaches and protects sensitive information from being misused.

FDE also eliminates the need for wiping or physically destroying a disk when it is replaced, as the encrypted data remains secure even if the disk is no longer in use. The data on the disk is effectively rendered useless without the decryption key.

Implementation

Full disk encryption for OSDs has to be set via a configuration option at the charm level in the ceph-osd charm. Charmed Ceph will then make use of the dm-crypt kernel module to encrypt the disk that is used to back a newly added OSD.

Read our how-to guide for enabling FDE to find out how to enable FDE on your disks.

Limitations

  • It is important to note that MicroCeph FDE only encompasses OSDs. Other data, such as state information for monitors, logs, configuration etc., will not be encrypted by this mechanism.
  • Also note that the encryption key will be stored on the Ceph monitors as part of the Ceph key/value store
Previous Secrets Next Best practices for secure deployment

This page was last modified 2 days ago. Help improve this document in the forum.