Encrypt keys before saving in OMAP file #963
Conversation
gbregman
force-pushed
the
devel
branch
8 times, most recently
from
e693dde to
e5c4d59
Compare
There was a problem hiding this comment.
@gbregman if this is about encrypting secrets at rest (in OMAP values), why the client is encrypting them? With encryption at rest, everything happens close to the storage layer (librados omap read and write calls in the server), but not end to end (since gRPC already provides in transit encryption through TLS).
By having both parties (client & server) to share the encryption key partially defeats the purpose of encryption and also complicates deployment. The secure storage of secrets should be a responsibility of the server, not the client side (leaking a secret from a single client side exposes all secrets).
gbregman
force-pushed
the
devel
branch
6 times, most recently
from
005d915 to
dbb2d4d
Compare
gbregman
force-pushed
the
devel
branch
2 times, most recently
from
083b24d to
0a11882
Compare
|
Could you share your thoughts on this draft for nvmeof gateway KMS integration: https://github.com/baum/ceph-nvmeof/blob/kms/KMSclient.md ? The KMS client feature appears to be a recurring pattern in ODF, seen in components like noobaa-operator, rook, RGW, etc. I would consider this approach for nvmeof gateway. |
gbregman
force-pushed
the
devel
branch
5 times, most recently
from
b0831f3 to
c9c3ab2
Compare
gbregman
force-pushed
the
devel
branch
6 times, most recently
from
6b41346 to
c0fda5d
Compare
|
Might be an interesting read: |
gbregman
dismissed
baum’s stale review
We already said several times that this wouldn't be done for now. It might be done in the future.
gbregman
force-pushed
the
devel
branch
17 times, most recently
from
d2dc318 to
69c06bf
Compare
Fixes #960