osd dm-crypt key management scheme
----------------------------------
- create new partition type OSD_LOCKBOX (or similar)
- populate with tiny file system
- automount, read-only, at /var/lib/ceph/osd-lockbox/$uuid (where uuid can be random, doesn't matter.. either unique to this device, or the osd uuid)
- 'km-mode' file indicates which key management scheme we are using.
creation
--------
- create lockbox partition on device (unencrypted), with tiny fs
- store luks key on monitor
- ceph config-key put dm-crypt/osd/$osd_uuid/luks $secret
- create a ceph user that can fetch it
- ceph auth get-or-create client.osd-lockbox.$osd_uuid mon 'allow command "config-key get" with key="dm-crypt/osd/$osd_uuid"' > /var/lib/ceph/osd-lockbox/$osd_uuid/keyring
- echo 'ceph-mon v1' > /var/lib/ceph/osd-lockbox/$osd_uuid/km-mode
activation
----------
- if km-mode == "ceph-mon v1" ...
- use user and key from 'keyring' file:
- 'ceph -n client.osd-lockbox.$osd_uuid -k /var/lib/ceph/osd-lockbox/$osd_uuid/keyring config-key get dm-crypt/osd/$osd_uuid' will write the secret to stdout
- when we encounter a dm-crypt device,
- first check legacy location (/etc/ceph/dmcrypt-keys/$osd_uuid)
- then check for lockbox (/var/lib/ceph/osd-lockbox/$osd_uuid)
- after we mount the lockbox, re-probe any dm-crypt devices with the same uuid (in case they tried before but lockbox wasn't mounted yet)
- if there are alternative key managers in use, indicate them in the lockbox, and adjust the "get key" method accordingly