To secure Ceph:
Use cephx
to authenticate users and daemons to protect against
MitM attacks (information disclosure, tampering). The cephx
tool uses
shared secret keys for authentication.
Note
A network communication channel is not encrypted including the messages used to configure sared secret keys. The system is primarily intended to be used in trusted environments.
For block storage encryption, Ceph-disk can utilize Linux dm-crypt
functionality through the --dmcrypt
parameter to mitigate
information disclosure threat.
Note
The keys are stored in /etc/ceph/keys
by default, which
requires setting strict permissions for this folder.
Use Ceph in a multi-project mode to mitigate EoP.
See also