]>
Commit | Line | Data |
---|---|---|
7c673cae FG |
1 | ========== |
2 | Encryption | |
3 | ========== | |
4 | ||
5 | .. versionadded:: Luminous | |
6 | ||
7 | The Ceph Object Gateway supports server-side encryption of uploaded objects, | |
8 | with 3 options for the management of encryption keys. Server-side encryption | |
9 | means that the data is sent over HTTP in its unencrypted form, and the Ceph | |
10 | Object Gateway stores that data in the Ceph Storage Cluster in encrypted form. | |
11 | ||
12 | Customer-Provided Keys | |
13 | ====================== | |
14 | ||
15 | In this mode, the client passes an encryption key along with each request to | |
16 | read or write encrypted data. It is the client's responsibility to manage those | |
17 | keys and remember which key was used to encrypt each object. | |
18 | ||
19 | This is implemented in S3 according to the `Amazon SSE-C`_ specification. | |
20 | ||
21 | As all key management is handled by the client, no special configuration is | |
22 | needed to support this encryption mode. | |
23 | ||
24 | Key Management Service | |
25 | ====================== | |
26 | ||
27 | This mode allows keys to be stored in a secure key management service and | |
31f18b77 | 28 | retrieved on demand by the Ceph Object Gateway to serve requests to encrypt |
7c673cae FG |
29 | or decrypt data. |
30 | ||
31 | This is implemented in S3 according to the `Amazon SSE-KMS`_ specification. | |
32 | ||
33 | In principle, any key management service could be used here, but currently | |
34 | only integration with `Barbican`_ is implemented. | |
35 | ||
36 | See `OpenStack Barbican Integration`_. | |
37 | ||
38 | Automatic Encryption (for testing only) | |
39 | ======================================= | |
40 | ||
41 | A ``rgw crypt default encryption key`` can be set in ceph.conf to force the | |
42 | encryption of all objects that do not otherwise specify an encryption mode. | |
43 | ||
44 | The configuration expects a base64-encoded 256 bit key. For example:: | |
45 | ||
46 | rgw crypt default encryption key = 4YSmvJtBv0aZ7geVgAsdpRnLBEwWSWlMIGnRS8a9TSA= | |
47 | ||
48 | .. important:: This mode is for diagnostic purposes only! The ceph configuration | |
49 | file is not a secure method for storing encryption keys. Keys that are | |
50 | accidentally exposed in this way should be considered compromised. | |
51 | ||
52 | ||
53 | .. _Amazon SSE-C: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html | |
54 | .. _Amazon SSE-KMS: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html | |
55 | .. _Barbican: https://wiki.openstack.org/wiki/Barbican | |
56 | .. _OpenStack Barbican Integration: ../barbican |