Chapter 4. Ceph on-disk encryption

About LUKS Disk Encryption and its Benefits

You can use the Linux Unified Key Setup-on-disk-format (LUKS) method to encrypt partitions on the Linux system. LUKS encrypts the entire block devices and is therefore well-suited for protecting the contents of mobile devices such as removable storage media or laptop disk drives.

Use the ceph-ansible utility to create encrypted OSD nodes to protect data stored on them. For details, see the Installing a Red hat Ceph Storage Cluster section in the Red Hat Ceph Storage 4 Installation Guide.

For details on LUKS, see the Overview of LUKS section in the Security Guide for Red Hat Enterprise Linux 7.

How ceph-ansible Creates Encrypted Partitions

During the OSD installation, ceph-ansible calls the ceph-disk utility that is responsible for creating encrypted partitions.

The ceph-disk utility creates a small ceph lockbox partition in addition to the data (ceph data) and journal (ceph journal) partitions. Also, ceph-disk creates the cephx client.osd-lockbox user. The ceph lockbox partition contains a key file that client.osd-lockbox uses to retrieve the LUKS private key needed to decrypt encrypted ceph data and ceph journal partitions.

Then, ceph-disk calls the cryptsetup utility that creates two dm-crypt devices for the ceph data and ceph journal partitions. The dm-crypt devices use the ceph data and ceph journal GUID as an identifier.

Important

The ceph-disk command is deprecated in Red Hat Ceph Storage 4. The ceph-volume command is now the preferred method for deploying OSDs from the command-line interface. Currently, the ceph-volume command only supports the lvm plugin.

See the Red Hat Ceph Storage Administration Guide, for more information on using the ceph-volume command.

How ceph-ansible Handles the LUKS Keys

The ceph-ansible utility stores the LUKS private keys in the Ceph Monitor key-value store. Each OSD has its own key for decrypting the dm-crypt devices containing the OSD data and the journal. The encrypted partitions are decrypted on boot automatically.