Dear Alexander, Thanks a lot for helpful comments and insights. Regarding CephFS and RGW, Per user seems to be daunting and complex.
What if encryption on the server side without per user requirment? would it be relatively easy to achieve, and how? best regards, Samuel huxia...@horebdata.cn From: Alexander E. Patrakov Date: 2023-05-21 15:44 To: huxia...@horebdata.cn CC: ceph-users Subject: Re: [ceph-users] Encryption per user Howto Hello Samuel, On Sun, May 21, 2023 at 3:48 PM huxia...@horebdata.cn <huxia...@horebdata.cn> wrote: > > Dear Ceph folks, > > Recently one of our clients approached us with a request on encrpytion per > user, i.e. using individual encrytion key for each user and encryption files > and object store. > > Does anyone know (or have experience) how to do with CephFS and Ceph RGW? For CephFS, this is unachievable. For RGW, please use Vault for storing encryption keys. Don't forget about the proper high-availability setup. Use an AppRole to manage tokens. Use Vault Agent as a proxy that adds the token to requests issued by RGWs. Then create a bucket for each user and set the encryption policy for this bucket using the PutBucketEncryption API that is available through AWS CLI. Either SSE-S3 or SSE-KMS will work for you. SSE-S3 is easier to manage. Each object will then be encrypted using a different key derived from its name and a per-bucket master key which never leaves Vault. Note that users will be able to create additional buckets by themselves, and they won't be encrypted, so tell them either not to do that or to encrypt the new buckets similarly. -- Alexander E. Patrakov _______________________________________________ ceph-users mailing list -- ceph-users@ceph.io To unsubscribe send an email to ceph-users-le...@ceph.io
