Discussion:
[ceph-users] GDPR encryption at rest
David Turner
2018-05-02 15:12:10 UTC
Permalink
I've heard conflicting opinions if GDPR requires data to be encrypted at
rest, but enough of our customers believe that it is that we're looking at
addressing it in our clusters. I had a couple questions about the state of
encryption in ceph.

1) My experience with encryption in Ceph is dmcrypt, is this still the
standard method or is there something new with bluestore?
2) Assuming dmcrypt is still the preferred option, is it fully
supported/tested in ceph-volume? There were problems with this when
ceph-volume was initially released, but I believe those have been resolved.
3) Any other thoughts about encryption at rest? I have an upgrade path to
get to encryption (basically the same as getting to bluestore from
filestore).

Thanks for your comments.
Alfredo Deza
2018-05-02 15:25:28 UTC
Permalink
Post by David Turner
I've heard conflicting opinions if GDPR requires data to be encrypted at
rest, but enough of our customers believe that it is that we're looking at
addressing it in our clusters. I had a couple questions about the state of
encryption in ceph.
1) My experience with encryption in Ceph is dmcrypt, is this still the
standard method or is there something new with bluestore?
Standard, yes.
Post by David Turner
2) Assuming dmcrypt is still the preferred option, is it fully
supported/tested in ceph-volume? There were problems with this when
ceph-volume was initially released, but I believe those have been resolved.
It is fully supported, but only with LUKS. The initial release of
ceph-volume didn't have dmcrypt support.
Post by David Turner
3) Any other thoughts about encryption at rest? I have an upgrade path to
get to encryption (basically the same as getting to bluestore from
filestore).
Not sure what you mean by 'rest'. The ceph-volume encryption would
give you the same type of encryption that was provided by ceph-disk
with the only "gotcha" being it is LUKS (plain is not supported for
newly encrypted devices)
Post by David Turner
Thanks for your comments.
David Turner
2018-05-02 15:51:09 UTC
Permalink
At 'rest' is talking about data on it's own, not being accessed through an
application. Encryption at rest is most commonly done by encrypting the
block device with something like dmcrypt. It's anything that makes having
the physical disk useless without being able to decrypt it. You can also
just encrypt a folder with sensitive information which would also be
encryption at rest. Encryption not at rest would be like putting a secure
layer between the data and the users that access it, like HTTPS/SSL.
Post by Alfredo Deza
Post by David Turner
I've heard conflicting opinions if GDPR requires data to be encrypted at
rest, but enough of our customers believe that it is that we're looking
at
Post by David Turner
addressing it in our clusters. I had a couple questions about the state
of
Post by David Turner
encryption in ceph.
1) My experience with encryption in Ceph is dmcrypt, is this still the
standard method or is there something new with bluestore?
Standard, yes.
Post by David Turner
2) Assuming dmcrypt is still the preferred option, is it fully
supported/tested in ceph-volume? There were problems with this when
ceph-volume was initially released, but I believe those have been
resolved.
It is fully supported, but only with LUKS. The initial release of
ceph-volume didn't have dmcrypt support.
Post by David Turner
3) Any other thoughts about encryption at rest? I have an upgrade path
to
Post by David Turner
get to encryption (basically the same as getting to bluestore from
filestore).
Not sure what you mean by 'rest'. The ceph-volume encryption would
give you the same type of encryption that was provided by ceph-disk
with the only "gotcha" being it is LUKS (plain is not supported for
newly encrypted devices)
Post by David Turner
Thanks for your comments.
David Turner
2018-05-03 17:22:41 UTC
Permalink
The process to create an encrypted bluestore OSD is very simple to make
them utilize dmcrypt (literally just add --dmcrypt to the exact same
command you would run normally to create the OSD). The gotcha is that I
had to find the option by using --help with ceph-volume from the cli. I
was unable to find any reference to it in the ceph docs online.

I'm not sure where I would suggest putting it. I searched for it through
googling the terms and didn't find anything. Hopefully this comes up in
future searches and is helpful.

[1] ceph-volume --help
ceph-volume lvm --help
ceph-volume lvm create --help (ahh, there it is)
Post by David Turner
At 'rest' is talking about data on it's own, not being accessed through an
application. Encryption at rest is most commonly done by encrypting the
block device with something like dmcrypt. It's anything that makes having
the physical disk useless without being able to decrypt it. You can also
just encrypt a folder with sensitive information which would also be
encryption at rest. Encryption not at rest would be like putting a secure
layer between the data and the users that access it, like HTTPS/SSL.
Post by David Turner
Post by David Turner
I've heard conflicting opinions if GDPR requires data to be encrypted at
rest, but enough of our customers believe that it is that we're looking
at
Post by David Turner
addressing it in our clusters. I had a couple questions about the
state of
Post by David Turner
encryption in ceph.
1) My experience with encryption in Ceph is dmcrypt, is this still the
standard method or is there something new with bluestore?
Standard, yes.
Post by David Turner
2) Assuming dmcrypt is still the preferred option, is it fully
supported/tested in ceph-volume? There were problems with this when
ceph-volume was initially released, but I believe those have been
resolved.
It is fully supported, but only with LUKS. The initial release of
ceph-volume didn't have dmcrypt support.
Post by David Turner
3) Any other thoughts about encryption at rest? I have an upgrade path
to
Post by David Turner
get to encryption (basically the same as getting to bluestore from
filestore).
Not sure what you mean by 'rest'. The ceph-volume encryption would
give you the same type of encryption that was provided by ceph-disk
with the only "gotcha" being it is LUKS (plain is not supported for
newly encrypted devices)
Post by David Turner
Thanks for your comments.
Alfredo Deza
2018-05-03 17:28:43 UTC
Permalink
The process to create an encrypted bluestore OSD is very simple to make them
utilize dmcrypt (literally just add --dmcrypt to the exact same command you
would run normally to create the OSD). The gotcha is that I had to find the
option by using --help with ceph-volume from the cli. I was unable to find
any reference to it in the ceph docs online.
I'm not sure where I would suggest putting it. I searched for it through
googling the terms and didn't find anything. Hopefully this comes up in
future searches and is helpful.
You are right, it seems that although we have the details at
http://docs.ceph.com/docs/master/ceph-volume/lvm/encryption/
we didn't actually update the flags in the prepare/activate/create sections.

I will make sure those are updated. Thanks for pointing this out.
[1] ceph-volume --help
ceph-volume lvm --help
ceph-volume lvm create --help (ahh, there it is)
Post by David Turner
At 'rest' is talking about data on it's own, not being accessed through an
application. Encryption at rest is most commonly done by encrypting the
block device with something like dmcrypt. It's anything that makes having
the physical disk useless without being able to decrypt it. You can also
just encrypt a folder with sensitive information which would also be
encryption at rest. Encryption not at rest would be like putting a secure
layer between the data and the users that access it, like HTTPS/SSL.
Post by Alfredo Deza
Post by David Turner
I've heard conflicting opinions if GDPR requires data to be encrypted at
rest, but enough of our customers believe that it is that we're looking at
addressing it in our clusters. I had a couple questions about the state of
encryption in ceph.
1) My experience with encryption in Ceph is dmcrypt, is this still the
standard method or is there something new with bluestore?
Standard, yes.
Post by David Turner
2) Assuming dmcrypt is still the preferred option, is it fully
supported/tested in ceph-volume? There were problems with this when
ceph-volume was initially released, but I believe those have been resolved.
It is fully supported, but only with LUKS. The initial release of
ceph-volume didn't have dmcrypt support.
Post by David Turner
3) Any other thoughts about encryption at rest? I have an upgrade path to
get to encryption (basically the same as getting to bluestore from
filestore).
Not sure what you mean by 'rest'. The ceph-volume encryption would
give you the same type of encryption that was provided by ceph-disk
with the only "gotcha" being it is LUKS (plain is not supported for
newly encrypted devices)
Post by David Turner
Thanks for your comments.
Vik Tara
2018-05-10 11:04:13 UTC
Permalink
Post by David Turner
I've heard conflicting opinions if GDPR requires data to be encrypted
at rest
Encryption both in transit and at rest is part of data protection by
design: it is about making sure that you have control over the data that
you hold/are processing and that if you lose physical control over the
storage medium (at rest) or the communication channel (in transit) that
you do not also have a loss of control (a data breach). Encrypted data,
whether it includes a personal data or not, is 'protected' secure data.

GDPR doesn't particularly describe encryption but the ICO guidance does
and in particular

"Where appropriate, you should look to use measures such as
pseudonymisation and encryption."

We're currently working on a Ceph based Document Management System with
object encryption which needs to comply with GDPR for users - and we're
opting for encrypting everything!

Loading...