]>
Commit | Line | Data |
---|---|---|
7c673cae FG |
1 | ========== |
2 | Encryption | |
3 | ========== | |
4 | ||
5 | .. versionadded:: Luminous | |
6 | ||
7 | The Ceph Object Gateway supports server-side encryption of uploaded objects, | |
8 | with 3 options for the management of encryption keys. Server-side encryption | |
9 | means that the data is sent over HTTP in its unencrypted form, and the Ceph | |
10 | Object Gateway stores that data in the Ceph Storage Cluster in encrypted form. | |
11 | ||
f64942e4 AA |
12 | .. note:: Requests for server-side encryption must be sent over a secure HTTPS |
13 | connection to avoid sending secrets in plaintext. If a proxy is used | |
14 | for SSL termination, ``rgw trust forwarded https`` must be enabled | |
15 | before forwarded requests will be trusted as secure. | |
16 | ||
9f95a23c TL |
17 | .. note:: Server-side encryption keys must be 256-bit long and base64 encoded. |
18 | ||
7c673cae FG |
19 | Customer-Provided Keys |
20 | ====================== | |
21 | ||
22 | In this mode, the client passes an encryption key along with each request to | |
23 | read or write encrypted data. It is the client's responsibility to manage those | |
24 | keys and remember which key was used to encrypt each object. | |
25 | ||
26 | This is implemented in S3 according to the `Amazon SSE-C`_ specification. | |
27 | ||
28 | As all key management is handled by the client, no special configuration is | |
29 | needed to support this encryption mode. | |
30 | ||
31 | Key Management Service | |
32 | ====================== | |
33 | ||
34 | This mode allows keys to be stored in a secure key management service and | |
31f18b77 | 35 | retrieved on demand by the Ceph Object Gateway to serve requests to encrypt |
7c673cae FG |
36 | or decrypt data. |
37 | ||
38 | This is implemented in S3 according to the `Amazon SSE-KMS`_ specification. | |
39 | ||
40 | In principle, any key management service could be used here, but currently | |
9f95a23c | 41 | only integration with `Barbican`_ and `Vault`_ are implemented. |
7c673cae | 42 | |
9f95a23c | 43 | See `OpenStack Barbican Integration`_ and `HashiCorp Vault Integration`_. |
7c673cae FG |
44 | |
45 | Automatic Encryption (for testing only) | |
46 | ======================================= | |
47 | ||
48 | A ``rgw crypt default encryption key`` can be set in ceph.conf to force the | |
49 | encryption of all objects that do not otherwise specify an encryption mode. | |
50 | ||
51 | The configuration expects a base64-encoded 256 bit key. For example:: | |
52 | ||
53 | rgw crypt default encryption key = 4YSmvJtBv0aZ7geVgAsdpRnLBEwWSWlMIGnRS8a9TSA= | |
54 | ||
55 | .. important:: This mode is for diagnostic purposes only! The ceph configuration | |
56 | file is not a secure method for storing encryption keys. Keys that are | |
57 | accidentally exposed in this way should be considered compromised. | |
58 | ||
59 | ||
60 | .. _Amazon SSE-C: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html | |
61 | .. _Amazon SSE-KMS: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html | |
62 | .. _Barbican: https://wiki.openstack.org/wiki/Barbican | |
9f95a23c | 63 | .. _Vault: https://www.vaultproject.io/docs/ |
7c673cae | 64 | .. _OpenStack Barbican Integration: ../barbican |
9f95a23c | 65 | .. _HashiCorp Vault Integration: ../vault |