X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=blobdiff_plain;f=src%2Fceph%2Fdoc%2Fradosgw%2Fencryption.rst;fp=src%2Fceph%2Fdoc%2Fradosgw%2Fencryption.rst;h=0000000000000000000000000000000000000000;hb=7da45d65be36d36b880cc55c5036e96c24b53f00;hp=a7bb7e2e931b65130c9cd2f4e00c954d75b2a6d1;hpb=691462d09d0987b47e112d6ee8740375df3c51b2;p=stor4nfv.git diff --git a/src/ceph/doc/radosgw/encryption.rst b/src/ceph/doc/radosgw/encryption.rst deleted file mode 100644 index a7bb7e2..0000000 --- a/src/ceph/doc/radosgw/encryption.rst +++ /dev/null @@ -1,56 +0,0 @@ -========== -Encryption -========== - -.. versionadded:: Luminous - -The Ceph Object Gateway supports server-side encryption of uploaded objects, -with 3 options for the management of encryption keys. Server-side encryption -means that the data is sent over HTTP in its unencrypted form, and the Ceph -Object Gateway stores that data in the Ceph Storage Cluster in encrypted form. - -Customer-Provided Keys -====================== - -In this mode, the client passes an encryption key along with each request to -read or write encrypted data. It is the client's responsibility to manage those -keys and remember which key was used to encrypt each object. - -This is implemented in S3 according to the `Amazon SSE-C`_ specification. - -As all key management is handled by the client, no special configuration is -needed to support this encryption mode. - -Key Management Service -====================== - -This mode allows keys to be stored in a secure key management service and -retrieved on demand by the Ceph Object Gateway to serve requests to encrypt -or decrypt data. - -This is implemented in S3 according to the `Amazon SSE-KMS`_ specification. - -In principle, any key management service could be used here, but currently -only integration with `Barbican`_ is implemented. - -See `OpenStack Barbican Integration`_. - -Automatic Encryption (for testing only) -======================================= - -A ``rgw crypt default encryption key`` can be set in ceph.conf to force the -encryption of all objects that do not otherwise specify an encryption mode. - -The configuration expects a base64-encoded 256 bit key. For example:: - - rgw crypt default encryption key = 4YSmvJtBv0aZ7geVgAsdpRnLBEwWSWlMIGnRS8a9TSA= - -.. important:: This mode is for diagnostic purposes only! The ceph configuration - file is not a secure method for storing encryption keys. Keys that are - accidentally exposed in this way should be considered compromised. - - -.. _Amazon SSE-C: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html -.. _Amazon SSE-KMS: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html -.. _Barbican: https://wiki.openstack.org/wiki/Barbican -.. _OpenStack Barbican Integration: ../barbican