Use object storage server-side encryption¶
TechPreview
When you use Ceph Object Gateway server-side encryption (SSE), unencrypted data sent over HTTPS is stored encrypted by the Ceph Object Gateway in the Ceph cluster. The current implementation integrates Barbican as a key management service.
The object storage SSE feature is enabled by default in MOSK deployments with Barbican. To use object storage SSE, the AWS CLI S3 client is used.
To use object storage server-side encryption:
Create Amazon Elastic Compute Cloud (EC2) credentials:
openstack ec2 credentials create
Configure AWS CLI with
access
andsecret
created in the previous step:aws configure
Create a secret key in Barbican secret key:
openstack secret order create --name <name> --algorithm <algorithm> --mode <mode> --bit-length 256 --payload-content-type=<payload-content-type> key
Substitute the parameters enclosed in angle brackets:
<name>
- human-friendly name.<algorithm>
- algorithm to use with the requested key. For example,aes
.<mode>
- algorithm mode to use with the requested key. For example,ctr
.<payload-content-type>
- type/format of the secret to generate. For example,application/octet-stream
.
Verify that the key has been created:
openstack secret order get <order-href>
Substitute
<order-href>
with the corresponding value from the output of the previous command.Specify the
ceph-rgw
user in the Barbican secret Access Control List (ACL):Obtain the list of
ceph-rgw
users:openstack user list --domain service | grep ceph-rgw
Example output:
| c63b70134e0845a2b13c3f947880f66a | ceph-rgwZ6ycK3dY |
In the output, capture the first value as the
<user-id>
, which isc63b70134e0845a2b13c3f947880f66a
in the above example.Specify the
ceph-rgw
user in the Barbican ACL:openstack acl user add --user <user-id> <secret-href>
Substitute
<user-id>
with the corresponding value from the output of the previous command and<secret-href>
with the corresponding value obtained in step 3.
Create an S3 bucket:
aws --endpoint-url <rgw-endpoint-url> --ca-bundle <ca-bundle> s3api create-bucket --bucket <bucket-name>
Substitute the parameters enclosed in angle brackets:
<rgw-endpoint-url>
- Ceph Object Gateway endpoint DNS name<ca-bundle>
- CA Certificate Bundle<bucket-name>
- human-friendly bucket name
Upload a file using object storage SSE:
aws --endpoint-url <rgw-endpoint-url> --ca-bundle <ca-bundle> s3 cp <path-to-file> "s3://<bucket-name>/<filename>" --sse aws:kms --sse-kms-key-id <key-id>
Substitute the parameters enclosed in angle brackets:
<path-to-file>
- path to the file that you want to upload<filename>
- name under which the uploaded file will be stored in the bucket<key-id>
- Barbican secret key ID
Select from the following options to download the file:
Download the file using a key:
aws --endpoint-url <rgw-endpoint-url> --ca-bundle <ca-bundle> s3 cp "s3://<bucket-name>/<filename>" <path-to-output-file> --sse aws:kms --sse-kms-key-id <key-id>
Substitute
<path-to-output-file>
with the path to the file you want to download.Download the file without a key:
aws --endpoint-url <rgw-endpoint-url> --ca-bundle <ca-bundle> s3 cp "s3://<bucket-name>/<filename>" <output-filename>