-
Notifications
You must be signed in to change notification settings - Fork 525
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable encryption for ceph-csi using fscrypt #4597
Comments
The Ceph-CSI project provides a CSI driver that a Container Platform like Kubernetes can use to create/delete volumes for application usage. The encryption that Ceph-CSI sets up is client-side, per volume. Ceph-CSI does not manage the Ceph cluster and OSDs. A project like Rook focuses on that. For your case, you may want to check the Ceph documentation about encryption. |
Thanks for the update, I have enabled server side encryption as per the link you mentioned in Ceph documentation. I had earlier looked at examples in the git repo and it looked like encryption could be done using ceph-csi I also noticed that even if I set the key "encrypted" to "false" in storageclass, the pvc will not bind. I have to remove that entry completely or comment it out. Also I have to remove the encryptionPassphrase from the secret.yaml or comment it out. Also the namespace in the examples is default but the namespace needed is ceph-csi-cephfs. I am assuming that with this and server side encryption enabled, there is nothing additional to be done in ceph csi as far as encryption of data at rest is concerned. I did look at using Rook originally but eventually decided to deploy ceph as per ceph documentation. Will try Rook another time. |
@pankaj-mandal there are 2 types of encryption
You need to decide on what exact encryption you are looking for |
This is what I did
and repeated the above for different values of |
The way you have setup encryption is on the OSD side, where the Ceph cluster stores its objects for the files and RBD-images. By inspecting the contents of the LogicalVolume, you have access to the unencrypted objects. It is just not trivial to select and combine the objects that present a single file. The format is Ceph specific, and not meant for humans to interact with it. |
Describe the bug
I have been trying to enable encryption for ceph-csi, one of the requirements is to enable fscrypt for the ceph storage. However the ceph osd stores use LVM and fscrypt uses ext4 and few others but not LVM so encryption cannot be enabled on the LVM devices.
Environment details
fuse
orkernel
. for rbd itskrbd
orrbd-nbd
) : kernelKustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.2
Steps to reproduce
Steps to reproduce the behavior:
ceph-csi is installed on another node using helm charts.
All pods are up and running
I have encryption set to false at this point in the storageclass. However if I enable encryption in storageclass, it will give an error in the demo pod i.e. the error is something like
I have encryption set to false at this point in the storageclass. However if I enable encryption in storageclass, it will give an error in the demo pod
Actual results
I guess it is because fscrypt is not enabled in the storage i.e. on the server side.
If I look at the volumes on server side. I see
The devices sdb, sdc and sdd need to be encrypted. However the LVM cannot be encrypted using fscrypt as it is not supported by fscrypt
The text was updated successfully, but these errors were encountered: