[Gluster-users] Secure Setup / Separate GlusterFS / Encryption

Vijay Bellur vbellur at redhat.com
Fri Feb 28 03:29:20 UTC 2014


On 02/26/2014 09:17 PM, Lance Reed wrote:
> I was wondering if anyone has any working examples of the below
> reference of setting up ecryptfs with Gluster?  My attempts so far have
> failed to work correctly and I am looking to ee if it is actually an
> option with the most recent versions of glusterfs?
>
> Thanks in advance for any thoughts!


Slightly OT, The HekaFS encryption translator [1] has found its way into 
GlusterFS 3.5 beta releases. We expect the feature to be in beta for 3.5 
but if you can evaluate it and let us know your feedback, that would be 
very helpful to us!

-Vijay

[1] 
https://www.gluster.org/community/documentation/index.php/Features/disk-encryption


>
>> Finally also on the topic of security how would people suggest handling
>> encryption of client data and working with a storage server hosting
>> different encrypted data
>
> Server-side encryption is possible now, using mechanisms outside of*GlusterFS*
> (e.g. LUKS or*ecryptfs*).  The weakness of such approaches is that the same
> entity - the server operator - will have access to both the encrypted data and
> keys.  In far too many cases, this means both will be equally available to an
> attacker (or even more likely insider).  You might as well not bother
> encrypting at all IMO.
>
> A more robust solution was developed for HekaFS (my now-dormant flavor of
> *GlusterFS*).  In that solution, encryption is done *on the client* using keys
> that never exist on servers.  This provides both security and deniability,
> either of which can be critical in current environments.  A medium-strength
> version of this encryption has existed for about two years in HekaFS, though
> enough has changed that it would probably require a refresh before it could
> even build.  A stronger version - developed in concert with security experts at
> Red Hat and on par with anything else that's out there - has been in review for
> a while and might appear in the next*GlusterFS*  release or two.  Bear in mind
> that even the "medium-strength" version is far more secure in practice than any
> server-side encryption method.
>
>
>
>
> _______________________________________________
> Gluster-users mailing list
> Gluster-users at gluster.org
> http://supercolony.gluster.org/mailman/listinfo/gluster-users
>




More information about the Gluster-users mailing list