Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Encrypt keys before saving in OMAP file #963

Closed
wants to merge 0 commits into from
Closed

Conversation

gbregman
Copy link
Contributor

@gbregman gbregman commented Nov 25, 2024

No description provided.

control/utils.py Outdated Show resolved Hide resolved
control/utils.py Outdated Show resolved Hide resolved
control/utils.py Outdated Show resolved Hide resolved
control/utils.py Outdated Show resolved Hide resolved
@gbregman gbregman force-pushed the devel branch 8 times, most recently from e693dde to e5c4d59 Compare November 27, 2024 14:53
Copy link
Member

@epuertat epuertat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gbregman if this is about encrypting secrets at rest (in OMAP values), why the client is encrypting them? With encryption at rest, everything happens close to the storage layer (librados omap read and write calls in the server), but not end to end (since gRPC already provides in transit encryption through TLS).

By having both parties (client & server) to share the encryption key partially defeats the purpose of encryption and also complicates deployment. The secure storage of secrets should be a responsibility of the server, not the client side (leaking a secret from a single client side exposes all secrets).

control/proto/gateway.proto Outdated Show resolved Hide resolved
control/server.py Outdated Show resolved Hide resolved
control/utils.py Outdated Show resolved Hide resolved
@gbregman gbregman force-pushed the devel branch 6 times, most recently from 005d915 to dbb2d4d Compare November 29, 2024 09:48
@gbregman gbregman requested a review from epuertat November 29, 2024 09:50
@gbregman gbregman marked this pull request as draft November 29, 2024 19:14
@gbregman gbregman removed the request for review from epuertat November 29, 2024 19:14
@gbregman gbregman force-pushed the devel branch 2 times, most recently from 083b24d to 0a11882 Compare November 29, 2024 20:06
@baum
Copy link
Collaborator

baum commented Dec 1, 2024

Could you share your thoughts on this draft for nvmeof gateway KMS integration: https://github.com/baum/ceph-nvmeof/blob/kms/KMSclient.md ? The KMS client feature appears to be a recurring pattern in ODF, seen in components like noobaa-operator, rook, RGW, etc. I would consider this approach for nvmeof gateway.

@gbregman gbregman force-pushed the devel branch 5 times, most recently from b0831f3 to c9c3ab2 Compare December 1, 2024 16:56
@gbregman gbregman force-pushed the devel branch 6 times, most recently from 6b41346 to c0fda5d Compare December 5, 2024 11:52
@gbregman gbregman marked this pull request as ready for review December 5, 2024 11:58
@baum
Copy link
Collaborator

baum commented Dec 9, 2024

baum
baum previously requested changes Dec 9, 2024
Copy link
Collaborator

@baum baum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we consider a generic KMS support layer aligned with other Ceph components?

@gbregman gbregman dismissed baum’s stale review December 9, 2024 10:07

We already said several times that this wouldn't be done for now. It might be done in the future.

@gbregman gbregman force-pushed the devel branch 17 times, most recently from d2dc318 to 69c06bf Compare December 11, 2024 08:28
@gbregman gbregman closed this Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

5 participants