Enable full disk encryption in Charmed Ceph

Full disk encryption (FDE) in Charmed Ceph allows operating encrypted OSDs in a Charmed Ceph cluster. See the FDE explanation to learn more about FDE protection and its limitations.

Prerequisites

To use FDE, the following prerequisites must be met:

  • The dm-crypt kernel module must be available. Note that some cloud-optimised kernels do not ship dm-crypt by default. Check by running `sudo modinfo dm-crypt

  • The charm configuration option osd-encrypt must be set to True. You can verify its value by running:

    juju config ceph-osd osd-encrypt

Enable FDE

If the pre-requisites are met, after adding a new disk, it will be encrypted:

juju run ceph-osd/* add-disk osd-devices=/dev/sdx

Note that there is no facility to encrypt an OSD that is already part of the cluster. To enable encryption you will have to take the OSD disk out of the cluster, ensure data is replicated and the cluster converged and is healthy, and then re-introduce the OSD with encryption.

This page was last modified a day ago. Help improve this document in the forum.