Ceph¶

To secure Ceph:

• Use cephx to authenticate users and daemons to protect against MitM attacks (information disclosure, tampering). The cephx tool uses shared secret keys for authentication.

  Note

  A network communication channel is not encrypted including the messages used to configure sared secret keys. The system is primarily intended to be used in trusted environments.

• For block storage encryption, Ceph-disk can utilize Linux dm-crypt functionality through the --dmcrypt parameter to mitigate information disclosure threat.

  Note

  The keys are stored in /etc/ceph/keys by default, which requires setting strict permissions for this folder.

• Use Ceph in a multi-project mode to mitigate EoP.