Encryption

New in version Luminous.

The Ceph Object Gateway supports server-side encryption of uploaded objects,with 3 options for the management of encryption keys. Server-side encryptionmeans that the data is sent over HTTP in its unencrypted form, and the CephObject Gateway stores that data in the Ceph Storage Cluster in encrypted form.

Note

Requests for server-side encryption must be sent over a secure HTTPSconnection to avoid sending secrets in plaintext. If a proxy is usedfor SSL termination, rgw trust forwarded https must be enabledbefore forwarded requests will be trusted as secure.

Note

Server-side encryption keys must be 256-bit long and base64 encoded.

Customer-Provided Keys

In this mode, the client passes an encryption key along with each request toread or write encrypted data. It is the client’s responsibility to manage thosekeys and remember which key was used to encrypt each object.

This is implemented in S3 according to the Amazon SSE-C specification.

As all key management is handled by the client, no special configuration isneeded to support this encryption mode.

Key Management Service

This mode allows keys to be stored in a secure key management service andretrieved on demand by the Ceph Object Gateway to serve requests to encryptor decrypt data.

This is implemented in S3 according to the Amazon SSE-KMS specification.

In principle, any key management service could be used here, but currentlyonly integration with Barbican and Vault are implemented.

See OpenStack Barbican Integration and HashiCorp Vault Integration.

Automatic Encryption (for testing only)

A rgw crypt default encryption key can be set in ceph.conf to force theencryption of all objects that do not otherwise specify an encryption mode.

The configuration expects a base64-encoded 256 bit key. For example:

  1. rgw crypt default encryption key = 4YSmvJtBv0aZ7geVgAsdpRnLBEwWSWlMIGnRS8a9TSA=

Important

This mode is for diagnostic purposes only! The ceph configurationfile is not a secure method for storing encryption keys. Keys that areaccidentally exposed in this way should be considered compromised.