[Gluster-devel] Transparent encryption in GlusterFS

[Edward Shishkin]

Hello everyone.

We are exploring a possibility to enhance the subject.

Unfortunately many serious encryption modes are "atomic".
That said, cipher transform (encryption/decryption) is
going on by "atoms", i.e. blocks of size more than 1 byte.

In particular this means that we need to read from disk
before performing a partial write. This creates problems
specific for stackable file system: our local copy of data
can get obsolete, if another process modifies the same
block, so that we'll end with loss of operations.

Example:

Suppose 2 processes overwrite a large file encrypted in
atomic cipher mode with atom size 8 bytes (e.g. DES-ECB).
Process A wants to overwrite one byte at offset #0, and
process B wants to overwrite one byte at offset #7, i.e.
the same block.

Process A puts a respective "atom" of plain text (the first
8 bytes of the file) to his stack;

Process B puts the same block of plain text to his stack;

Process B modifies its local copy of plain text (overwrite
the byte #7), encrypt the block and write the result to
disk.

Process A modifies its local copy of plain text (overwrite
the byte #0), encrypt the block and write the result to
disk.

Here we've lost the modification performed by B, since A
were not aware about those modification.

The straightforward solution is to serialize read-modify-writes.
I wonder if GlusterFS has any per-file serialization means,
that would allow to resolve this problem. Or maybe there are
possibilities to create such means. Any hints would be highly
appreciated.

Thank you in advance,

Edward.