diff options
| author |   Qiaowei Ren <qiaowei.ren@intel.com> | 2018-03-01 14:38:11 +0800 |
|---|---|---|
| committer | Qiaowei Ren <qiaowei.ren@intel.com> | 2018-03-01 14:38:11 +0800 |
| commit | 7da45d65be36d36b880cc55c5036e96c24b53f00 (patch) | |
| tree | d4f944eb4f8f8de50a9a7584ffa408dc3a3185b2 /src/ceph/doc/radosgw/encryption.rst | |
| parent | 691462d09d0987b47e112d6ee8740375df3c51b2 (diff) | |
remove ceph code
This patch removes initial ceph code, due to license issue.
Change-Id: I092d44f601cdf34aed92300fe13214925563081c
Signed-off-by: Qiaowei Ren <qiaowei.ren@intel.com>
Diffstat (limited to 'src/ceph/doc/radosgw/encryption.rst')
| -rw-r--r-- | src/ceph/doc/radosgw/encryption.rst | 56 |
1 files changed, 0 insertions, 56 deletions
diff --git a/src/ceph/doc/radosgw/encryption.rst b/src/ceph/doc/radosgw/encryption.rst deleted file mode 100644 index a7bb7e2..0000000 --- a/src/ceph/doc/radosgw/encryption.rst +++ /dev/null @@ -1,56 +0,0 @@ -========== -Encryption -========== - -.. versionadded:: Luminous - -The Ceph Object Gateway supports server-side encryption of uploaded objects, -with 3 options for the management of encryption keys. Server-side encryption -means that the data is sent over HTTP in its unencrypted form, and the Ceph -Object Gateway stores that data in the Ceph Storage Cluster in encrypted form. - -Customer-Provided Keys -====================== - -In this mode, the client passes an encryption key along with each request to -read or write encrypted data. It is the client's responsibility to manage those -keys and remember which key was used to encrypt each object. - -This is implemented in S3 according to the `Amazon SSE-C`_ specification. - -As all key management is handled by the client, no special configuration is -needed to support this encryption mode. - -Key Management Service -====================== - -This mode allows keys to be stored in a secure key management service and -retrieved on demand by the Ceph Object Gateway to serve requests to encrypt -or decrypt data. - -This is implemented in S3 according to the `Amazon SSE-KMS`_ specification. - -In principle, any key management service could be used here, but currently -only integration with `Barbican`_ is implemented. - -See `OpenStack Barbican Integration`_. - -Automatic Encryption (for testing only) -======================================= - -A ``rgw crypt default encryption key`` can be set in ceph.conf to force the -encryption of all objects that do not otherwise specify an encryption mode. - -The configuration expects a base64-encoded 256 bit key. For example:: - - rgw crypt default encryption key = 4YSmvJtBv0aZ7geVgAsdpRnLBEwWSWlMIGnRS8a9TSA= - -.. important:: This mode is for diagnostic purposes only! The ceph configuration - file is not a secure method for storing encryption keys. Keys that are - accidentally exposed in this way should be considered compromised. - - -.. _Amazon SSE-C: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html -.. _Amazon SSE-KMS: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html -.. _Barbican: https://wiki.openstack.org/wiki/Barbican -.. _OpenStack Barbican Integration: ../barbican |