To secure Ceph:

  • Use cephx to authenticate users and daemons to protect against MitM attacks (information disclosure, tampering). The cephx tool uses shared secret keys for authentication.


    A network communication channel is not encrypted including the messages used to configure sared secret keys. The system is primarily intended to be used in trusted environments.

  • For block storage encryption, Ceph-disk can utilize Linux dm-crypt functionality through the --dmcrypt parameter to mitigate information disclosure threat.


    The keys are stored in /etc/ceph/keys by default, which requires setting strict permissions for this folder.

  • Use Ceph in a multi-project mode to mitigate EoP.