Ceph RBD image encryption

[rauth]

Hi There!,

Has anyone used or had the experience of activating Ceph's RBD image encryption? RBD Image encryption

What I want is to have encrypted disks of some VMs. OSD encryption doesn't solve this case, as it doesn't protect against an attacker gaining access to the host.

I also had a look at ZFS encryption, but it doesn't work because we want to have Proxmox clusters and allow live migration/synchronization of VMs and, according to the bug: ZFS storage_migrate does not work if zfs feature@encryption=enabled already reported, these features don't work with encryption.

 

[damo2929]

you could carry out in guest encryption with a TPM 2 attached

 

[fabian]

OSD encryption doesn't solve this case, as it doesn't protect against an attacker gaining access to the host.

if an attacker gains access to the host, then encrypting individual images also doesn't help - PVE would need to have the means to unlock them, whcih means an attacker would have that as well.. encryption at rest only protects against an attacker stealing your storage while the data is not being used.