Ceph

I'm planning on implementing this, I just wanted to get feedback before implementing.

This is really a good idea to have built-in! Thanks for taking this up!

We have been using a custom backup script utilizing ceph config-key dump to at least dump the OSD encryption keys to have them in case the mons are destroyed or their database becomes corrupted.

• Full restore might not always be wanted, so extraction of e.g. "only OSD encryption keys" should be possible / documented maybe?
• There should be an automatic mechanism to create and rotate backups (very basic logic ... interval + number of copies to keep), this removed all the need for additional tooling (cron, systemd-timers, rotation, ...)

Christian Rohmann wrote in #note-2:

My thoughts would be:

• Full restore might not always be wanted, so extraction of e.g. "only OSD encryption keys" should be possible / documented maybe?

I will investigate this later. I have to look how the encryption keys are actually stored. Since I use the rockdb backup functions, they are more like everything or nothing.
I will look if there is a way to open the backup and extract keys by hand, if so, I will implement a key merge.

• There should be an automatic mechanism to create and rotate backups (very basic logic ... interval + number of copies to keep), this removed all the need for additional tooling (cron, systemd-timers, rotation, ...)

I'm working on the cleanup routine right now, since I want some proper time windows in which backups exist. Like 1 backup 7 days old, one for every day and the last 5 backups.