Osd - simple ceph-mon dm-crypt key management » History » Version 1
Jessica Mack, 08/13/2015 03:40 AM
1 | 1 | Jessica Mack | h1. Osd - simple ceph-mon dm-crypt key management |
---|---|---|---|
2 | |||
3 | h3. Summary |
||
4 | |||
5 | ceph-disk can encrypt disks for you, but it stores keys in /etc/ceph/keys, which is only somewhat useful. Let's construct a scheme that lets you store disk encryption keys security on the monitor without external dependencies. (And perhaps make hooks along the way to use external key management too.) |
||
6 | |||
7 | h3. Owners |
||
8 | |||
9 | * Sage Weil (Red Hat) |
||
10 | * Milan Broz (Red Hat) |
||
11 | * Name |
||
12 | |||
13 | h3. Interested Parties |
||
14 | |||
15 | * Danny Al-Gaaf (Deutsche Telekom) |
||
16 | * Name (Affiliation) |
||
17 | * Name |
||
18 | |||
19 | h3. Current Status |
||
20 | |||
21 | ceph-disk will |
||
22 | * transparently create osd volumes with dm-crypt |
||
23 | * start osds |
||
24 | * store keys in /etc/ceph/keys only |
||
25 | |||
26 | ceph-mon will |
||
27 | * store arbitrary key/value data on the mon |
||
28 | ** ceph config-key set <key> -i value |
||
29 | ** ceph config-key get <key> -o value |
||
30 | * protect this data with a ceph auth key |
||
31 | ** ceph -n client.osd.1.wrapper --key <secret> config-key get osd.1/dmcrypt-key -o ... |
||
32 | * let you restrict keys' access to specific subranges |
||
33 | ** e.g., client.osd.1.wrapper only has access to *read* osd.1/dmcrypt-key and nothing else |
||
34 | |||
35 | on any given disk we have |
||
36 | * a GPT partition table |
||
37 | * GPT parittion types for |
||
38 | ** osd data volume |
||
39 | ** encrypted osd data volume |
||
40 | ** osd journal volume |
||
41 | ** encrypted osd journal volume |
||
42 | |||
43 | h3. Detailed Description |
||
44 | |||
45 | There are a few missing pieces. |
||
46 | *Wrapper key* |
||
47 | The first is that we need a place on the encrypted disk to store a few pieces of metadata: |
||
48 | * which osd id (e.g., 123) and uuid is this |
||
49 | * which cluster uuid is this |
||
50 | * what is the wrapper key |
||
51 | |||
52 | The wrapper key is used to fetch teh decryption key from the mon. It can be easily revoked if the disk goes missing without throwing out the encryption key. |
||
53 | Or, if we use LUKS, I think the encryption key is used to unlock the actual encryption key on the disk. EIther way, the wrapper key can be had by anyone who gets the disk. There is probably a real name for this ("token?") |
||
54 | Do we put a new, tiny partition on the disk to store this? With a new type? |
||
55 | Do we use the same wrapper key for the data and journal? Probably different ones for each, given that they are often on different devices (ssd for journals, hdd for disks, etc.) |
||
56 | |||
57 | *ceph-disk changes* |
||
58 | We need to do a bunch of new stuff here that may mean talking to the mon and be slower than before: |
||
59 | when creating a disk, we need to generate the encryption key, store it on the mon, and generate a wrapper key that can read it. we'll use a boostrap-osd type key to do this. |
||
60 | when activating a disk, we need to get the disk's wrapper key and fetch the encryption key from the mon. this requires the network, which means ceph-disk activate may be slower than before. i'm not sure if udev will mind or not. |
||
61 | |||
62 | *streamline revocation* |
||
63 | We'll want a tool or well-documented workflow to revoke a wrapper key. Maybe give it a unique name (client.osd.1.wrapper.$random) and revoke the key's permissions so we still ahve a record of the key itself for future reference? |
||
64 | |||
65 | h3. Work items |
||
66 | |||
67 | h4. Coding tasks |
||
68 | |||
69 | # establish scheme for storing keys on disks |
||
70 | # expand osd-bootstrap and or osd profiles on mon to allow all the command we need |
||
71 | # ceph-disk: create keys and store them on mon |
||
72 | # ceph-disk activate: fetch keys and start mon |
||
73 | # revocation workflow |
||
74 | # un-revocation worklow? |