Encryption
Encryption protects data confidentiality both in transit and at rest:
- In Transit:
- Messenger v2: Configure Ceph internal communication (between MON, OSD, MGR, MDS) to use secure mode, encrypting traffic.
- TLS at RGW: Essential for encrypting S3/Swift traffic between clients and the RGW. Use strong TLS protocols (TLS 1.2+) and ciphers. Obtain certificates from a trusted CA or manage an internal PKI. Configure via Juju relations or charm options.
- Ceph Dashboard HTTPS: The dashboard uses HTTPS by default. Ensure the certificate is valid and trusted.
- Juju Communication: Juju controller-agent communication is secured with TLS automatically.
- At Rest:
- OSD Encryption (via LUKS): Ceph supports encrypting data stored on OSDs using LUKS. This protects data if physical drives are stolen. Charmed Ceph allows enabling OSD encryption during deployment (osd-encrypt option). Key management for LUKS needs to be handled carefully.
- Full Disk Encryption (FDE): Consider encrypting the entire host OS disk, especially for MON nodes holding cluster maps and keys, and RGW nodes potentially caching data. This adds another layer of protection against physical access, managed at the OS level.