Chapter 4. Encryption

About LUKS Disk Encryption and its Benefits

You can use the Linux Unified Key Setup-on-disk-format (LUKS) method to encrypt partitions on the Linux system. LUKS encrypts the entire block devices and is therefore well-suited for protecting the contents of mobile devices such as removable storage media or laptop disk drives.

Use the ceph-ansible utility to create encrypted OSD nodes to protect data stored on them. For details, see the Configuring Ceph OSD Setting section in the Red Hat Ceph Storage 2 Installation Guide for Red Hat Enterprise Linux 7.

For details on LUKS, see the Overview of LUKS section in the Security Guide for Red Hat Enterprise Linux 7.

How ceph-ansible Creates Encrypted Partitions

During the OSD installation, ceph-ansible calls the ceph-disk utility that is responsible for creating encrypted partitions.

The ceph-disk utility creates a small ceph lockbox partition in addition to the data (ceph data) and journal (ceph journal) partitions. Also, ceph-disk creates the cephx client.osd-lockbox user. The ceph lockbox partition contains a key file that client.osd-lockbox uses to retrieve the LUKS private key needed to decrypt encrypted ceph data and ceph journal partitions.

Then, ceph-disk calls the cryptsetup utility that creates two dm-crypt devices for the ceph data and ceph journal partitions. The dm-crypt devices use the ceph data and ceph journal GUID as an identifier.

How ceph-ansible Handles the LUKS Keys

The ceph-ansible utility stores the LUKS private keys in the Ceph Monitor key-value store. Each OSD has its own key for decrypting the dm-crypt devices containing the OSD data and the journal. The encrypted partitions are decrypted on boot automatically.