-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Encrypt keys before saving in OMAP file #963
Conversation
e693dde
to
e5c4d59
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gbregman if this is about encrypting secrets at rest (in OMAP values), why the client is encrypting them? With encryption at rest, everything happens close to the storage layer (librados omap read and write calls in the server), but not end to end (since gRPC already provides in transit encryption through TLS).
By having both parties (client & server) to share the encryption key partially defeats the purpose of encryption and also complicates deployment. The secure storage of secrets should be a responsibility of the server, not the client side (leaking a secret from a single client side exposes all secrets).
005d915
to
dbb2d4d
Compare
083b24d
to
0a11882
Compare
Could you share your thoughts on this draft for nvmeof gateway KMS integration: https://github.com/baum/ceph-nvmeof/blob/kms/KMSclient.md ? The KMS client feature appears to be a recurring pattern in ODF, seen in components like noobaa-operator, rook, RGW, etc. I would consider this approach for nvmeof gateway. |
b0831f3
to
c9c3ab2
Compare
6b41346
to
c0fda5d
Compare
Might be an interesting read: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we consider a generic KMS support layer aligned with other Ceph components?
We already said several times that this wouldn't be done for now. It might be done in the future.
d2dc318
to
69c06bf
Compare
No description provided.