I have updated a 3 Node Lab Cluster from ZFS to CEPH. Every node has 2 1.2 TB disks used by ceph and everything works really nice.
There is only a massive problem - only for me? - with this setup:
As the node was on ZFS the ZFS storage was encrypted and was not unlocked on server boot. I have a non-encrypted store for some VMs without security needs and a encrypted store for the other ones. After Server boot Auto Start of this VMs was delayed till I logged in with SSH and entered my zfs load-key ztank/vmdata-enc . After this Autostart continued.
Now with Ceph the keys are stored somewhere, as I read in a SQlite3 DB in a /var/something folder. This was encryptions is unsafe, because if somebody only gets 1 disk data are protected, but if somebody gots the whole server, the system boots up and deencrypt data store.
Booting from a ZFS Raid makes the problem, that you need a Ilo or some other way to unlock the ZFS Filesystem so the server can boot by itself.
Is there any way to only hold the CEPH encryption keys temporary only, requiring entering the key as with ZFS before?
Thank you for any hint.
There is only a massive problem - only for me? - with this setup:
As the node was on ZFS the ZFS storage was encrypted and was not unlocked on server boot. I have a non-encrypted store for some VMs without security needs and a encrypted store for the other ones. After Server boot Auto Start of this VMs was delayed till I logged in with SSH and entered my zfs load-key ztank/vmdata-enc . After this Autostart continued.
Now with Ceph the keys are stored somewhere, as I read in a SQlite3 DB in a /var/something folder. This was encryptions is unsafe, because if somebody only gets 1 disk data are protected, but if somebody gots the whole server, the system boots up and deencrypt data store.
Booting from a ZFS Raid makes the problem, that you need a Ilo or some other way to unlock the ZFS Filesystem so the server can boot by itself.
Is there any way to only hold the CEPH encryption keys temporary only, requiring entering the key as with ZFS before?
Thank you for any hint.