Encryption at rest with Ceph

Do you have a big data center? Do you have terabytes of confidential data stored in that data center? Are you worried that your data might be exposed to malicious attacks? One of the most prominent security features of storage solutions is encryption at rest. This blog will explain this in more detail and how it is implemented in Charmed Ceph, Canonical’s software-defined storage solution.

What is data at rest?

Before we dive into encryption, we need to define what data at rest is. There are three states for digital data: data in use, data in transit and data at rest. Data in use refers to active data stored in non-persistent volumes, typically RAM or CPU caches. Data in transit is the state where data is transferred over a network, either private or public. Data at rest means inactive data that is stored physically on persistent storage, i.e. disks, databases, data warehouses, mobile devices, archives, etc. When at rest, data can be subject to malicious threats such as data theft or data corruption by obtaining physical access to the storage hardware. There are multiple security measures to protect data at rest, starting from password protection, federation and data encryption.

What is data encryption at rest?

Encryption at rest is the encoding of data when it is persisted. It is designed to prevent the attacker from accessing unencrypted data by ensuring all raw data is encrypted when stored on a persistent device. 

Encryption at rest addresses a multitude of potential threats. Starting from the lowest threat level like the theft of an HDD device, fun88体育 loss, up to extremes such as the compromise of an entire rack of fun88体育s or the entire data center, businesses will have peace of mind as long as the stolen data was encrypted. The attacker could still get physical access to the storage, but without the encryption keys, it is significantly more complex and resource-consuming to read the encrypted data.

Nowadays, most businesses are interested in data security, especially after the introduction of GDPR. Some also need to comply with industry and government regulations such as HIPAA, PCI-DSS and FedRAMP. Encryption at rest is a prerequisite for some of those regulations and Canonical’s security certification program can help your business stay compliant.

How does encryption at rest work?

Encryption of data on block storage in a Linux environment is quite straightforward. The Ubuntu kernel supports the and utilities, for transparent disk encryption and on-disk encryption key management respectively. However, encryption at rest also requires a key management solution (KMS) to ensure the security of the encryption keys and proper role-based access control (RBAC) definitions. 

Ceph encryption at rest

Charmed Ceph supports encryption at rest out-of-the-box both as part of an OpenStack private cloud deployment and as a standalone storage solution. Charmed Ceph is based on a model-driven approach. All Ceph components are wrapped in charms, that is, code that drives lifecycle management automation.

For Ceph encryption at rest, the selected KMS is . Vault is a widely used Encryption-as-a-Service solution that supports centralised key management and key rotation to ensure cryptographic best practices. When booting up, Vault needs to be unsealed in order for services to connect to it and read their encryption keys. Unsealing Vault requires a Master encryption key that needs a number of unseal keys to be unlocked. After initialising Vault, the data center operations team needs to provide a token retrieved from Vault to establish a connection between the Ceph charms and Vault.

Charmed Ceph uses as an integration component between dm-crypt and Vault. Vaultlocker ensures the encryption keys are only ever held in memory locally and stored persistently in Vault, only to be read from Vault into memory during any subsequent operation, such as unlocking or encryption of a block device.

RBAC is implemented through the Vault charm. The charms use Vault AppRoles to handle communication between Vault and the Ceph cluster. Every storage fun88体育 of the Ceph cluster has a specific AppRole (consisting of a role ID and secret) which can only be used from a specific IP address.

If all of the above sounds fairly complicated, it is mostly because Canonical ensures that the attack surface for Charmed Ceph is the smallest possible. Using Vault and Vaultlocker, Charmed Ceph has a solid approach to data encryption at rest to protect against all possible types of physical device loss in your data center.


Learn more about Charmed Ceph or contact us about your data center storage needs.

Read our Charm Deployment Guide sections on using and .

ceph logo

What is Ceph?

Ceph is a software-defined storage (SDS) solution designed to address the object, block, and file storage needs of both small and large data centres.

It's an optimised and easy-to-integrate solution for companies adopting open source as the new norm for high-growth block storage, object stores and data lakes.

Learn more about Ceph ›

Newsletter signup

Select topics you're
interested in

In submitting this form, I confirm that I have read and agree to Canonical's Privacy Notice and Privacy Policy.

Related posts

OpenStack Wallaby: OpenStack Charms 21.04

OpenStack Charms 21.04 release brings native support for OpenStack Wallaby and Ceph Pacific in Canonical’s Charmed OpenStack. Those latest versions of...

AI on premise: benefits and a predictive-modeling use case

Running an Artificial Intelligence (AI) infrastructure on premise has major challenges like high capex and requires internal expertise. It can provide a lot...

Why is Ubuntu Linux the leading choice to replace CentOS for Finserv infrastructure?

Operating systems are the foundation blocks of technology stacks in organisations. When considering an open source operating system for Finserv...