Hello, we have a JEWEL cluster upgraded from FIREFLY. The cluster is encrypted with dmcrypt.
Yesterday, i added some new OSDs. The first time since the upgrade. I searched the new keys to backup them and i see that the creation of new OSDs with the option dmcrypt changed. To be able to retrieved the key if the server filesystem crash ( http://tracker.ceph.com/issues/14669 ) or if the OSD move, a ceph user is created and its keyring file is used as LUKS's encryption key. Good idea. The problem is : There is a small partition named ceph lockbox at the begening of the disk. We can find the keyring among the files of this partition. Why is the encryption key stored on the same disk and in clear ? Someone who could get the disk would be able to read it. There's no point encrypting it in this case. It is urgent to move the keyring file elsewhere ( in /etc/ceph/dmcrypt-keys ? ) Regards Pierre -- ---------------------------------------------- Pierre BLONDEAU Administrateur Système & réseau Université de Caen Normandie Laboratoire GREYC, Département d'informatique Tel : 02 31 56 75 42. Bureau : Campus 2, Science 3, 406 ----------------------------------------------
smime.p7s
Description: Signature cryptographique S/MIME
_______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
