[ceph.git] / ceph / doc / radosgw / encryption.rst

==========
Encryption
==========

.. versionadded:: Luminous

The Ceph Object Gateway supports server-side encryption of uploaded objects,
with 3 options for the management of encryption keys. Server-side encryption
means that the data is sent over HTTP in its unencrypted form, and the Ceph
Object Gateway stores that data in the Ceph Storage Cluster in encrypted form.

.. note:: Requests for server-side encryption must be sent over a secure HTTPS
          connection to avoid sending secrets in plaintext. If a proxy is used
          for SSL termination, ``rgw trust forwarded https`` must be enabled
          before forwarded requests will be trusted as secure.

.. note:: Server-side encryption keys must be 256-bit long and base64 encoded.

Customer-Provided Keys
======================

In this mode, the client passes an encryption key along with each request to
read or write encrypted data. It is the client's responsibility to manage those
keys and remember which key was used to encrypt each object.

This is implemented in S3 according to the `Amazon SSE-C`_ specification.

As all key management is handled by the client, no special configuration is
needed to support this encryption mode.

Key Management Service
======================

This mode allows keys to be stored in a secure key management service and
retrieved on demand by the Ceph Object Gateway to serve requests to encrypt
or decrypt data.

This is implemented in S3 according to the `Amazon SSE-KMS`_ specification.

In principle, any key management service could be used here, but currently
only integration with `Barbican`_ and `Vault`_ are implemented.

See `OpenStack Barbican Integration`_ and `HashiCorp Vault Integration`_.

Automatic Encryption (for testing only)
=======================================

A ``rgw crypt default encryption key`` can be set in ceph.conf to force the
encryption of all objects that do not otherwise specify an encryption mode.

The configuration expects a base64-encoded 256 bit key. For example::

  rgw crypt default encryption key = 4YSmvJtBv0aZ7geVgAsdpRnLBEwWSWlMIGnRS8a9TSA=

.. important:: This mode is for diagnostic purposes only! The ceph configuration
   file is not a secure method for storing encryption keys. Keys that are
   accidentally exposed in this way should be considered compromised.


.. _Amazon SSE-C: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html
.. _Amazon SSE-KMS: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
.. _Barbican: https://wiki.openstack.org/wiki/Barbican
.. _Vault: https://www.vaultproject.io/docs/
.. _OpenStack Barbican Integration: ../barbican
.. _HashiCorp Vault Integration: ../vault
Commit	Line	Data
7c673cae FG	1	==========
	2	Encryption
	3	==========
	4
	5	.. versionadded:: Luminous
	6
	7	The Ceph Object Gateway supports server-side encryption of uploaded objects,
	8	with 3 options for the management of encryption keys. Server-side encryption
	9	means that the data is sent over HTTP in its unencrypted form, and the Ceph
	10	Object Gateway stores that data in the Ceph Storage Cluster in encrypted form.
	11
f64942e4 AA	12	.. note:: Requests for server-side encryption must be sent over a secure HTTPS
	13	connection to avoid sending secrets in plaintext. If a proxy is used
	14	for SSL termination, ``rgw trust forwarded https`` must be enabled
	15	before forwarded requests will be trusted as secure.
	16
9f95a23c TL	17	.. note:: Server-side encryption keys must be 256-bit long and base64 encoded.
9f95a23c TL	18
7c673cae FG	19	Customer-Provided Keys
	20	======================
	21
	22	In this mode, the client passes an encryption key along with each request to
	23	read or write encrypted data. It is the client's responsibility to manage those
	24	keys and remember which key was used to encrypt each object.
	25
	26	This is implemented in S3 according to the `Amazon SSE-C`_ specification.
	27
	28	As all key management is handled by the client, no special configuration is
	29	needed to support this encryption mode.
	30
	31	Key Management Service
	32	======================
	33
	34	This mode allows keys to be stored in a secure key management service and
31f18b77	35	retrieved on demand by the Ceph Object Gateway to serve requests to encrypt
7c673cae FG	36	or decrypt data.
	37
	38	This is implemented in S3 according to the `Amazon SSE-KMS`_ specification.
	39
	40	In principle, any key management service could be used here, but currently
9f95a23c	41	only integration with `Barbican`_ and `Vault`_ are implemented.
7c673cae	42
9f95a23c	43	See `OpenStack Barbican Integration`_ and `HashiCorp Vault Integration`_.
7c673cae FG	44
	45	Automatic Encryption (for testing only)
	46	=======================================
	47
	48	A ``rgw crypt default encryption key`` can be set in ceph.conf to force the
	49	encryption of all objects that do not otherwise specify an encryption mode.
	50
	51	The configuration expects a base64-encoded 256 bit key. For example::
	52
	53	rgw crypt default encryption key = 4YSmvJtBv0aZ7geVgAsdpRnLBEwWSWlMIGnRS8a9TSA=
	54
	55	.. important:: This mode is for diagnostic purposes only! The ceph configuration
	56	file is not a secure method for storing encryption keys. Keys that are
	57	accidentally exposed in this way should be considered compromised.
	58
	59
	60	.. _Amazon SSE-C: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html
	61	.. _Amazon SSE-KMS: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
	62	.. _Barbican: https://wiki.openstack.org/wiki/Barbican
9f95a23c	63	.. _Vault: https://www.vaultproject.io/docs/
7c673cae	64	.. _OpenStack Barbican Integration: ../barbican
9f95a23c	65	.. _HashiCorp Vault Integration: ../vault