[Gluster-devel] Transparent encryption in GlusterFS

Edward Shishkin edward at redhat.com
Thu May 5 20:23:45 UTC 2011


Hello everyone.

We are exploring a possibility to enhance the subject.

Unfortunately many serious encryption modes are "atomic".
That said, cipher transform (encryption/decryption) is
going on by "atoms", i.e. blocks of size more than 1 byte.

In particular this means that we need to read from disk
before performing a partial write. This creates problems
specific for stackable file system: our local copy of data
can get obsolete, if another process modifies the same
block, so that we'll end with loss of operations.

Example:

Suppose 2 processes overwrite a large file encrypted in
atomic cipher mode with atom size 8 bytes (e.g. DES-ECB).
Process A wants to overwrite one byte at offset #0, and
process B wants to overwrite one byte at offset #7, i.e.
the same block.

Process A puts a respective "atom" of plain text (the first
8 bytes of the file) to his stack;

Process B puts the same block of plain text to his stack;

Process B modifies its local copy of plain text (overwrite
the byte #7), encrypt the block and write the result to
disk.

Process A modifies its local copy of plain text (overwrite
the byte #0), encrypt the block and write the result to
disk.

Here we've lost the modification performed by B, since A
were not aware about those modification.

The straightforward solution is to serialize read-modify-writes.
I wonder if GlusterFS has any per-file serialization means,
that would allow to resolve this problem. Or maybe there are
possibilities to create such means. Any hints would be highly
appreciated.

Thank you in advance,

Edward.




More information about the Gluster-devel mailing list