{"id":22023,"date":"2024-04-01T17:36:02","date_gmt":"2024-04-01T14:36:02","guid":{"rendered":"https:\/\/kifarunix.com\/?p=22023"},"modified":"2024-04-08T18:50:27","modified_gmt":"2024-04-08T15:50:27","slug":"how-to-encrypt-data-at-rest-on-ceph-cluster-osd","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-encrypt-data-at-rest-on-ceph-cluster-osd\/","title":{"rendered":"How to Encrypt Data at Rest on Ceph Cluster OSD"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to encrypt data at rest on Ceph Cluster OSD. Current release versions of Ceph now support data encryption at rest. But, what is encryption at rest? Encryption at rest basically means protecting the data that is written to or stored on drives from unauthorized access. If the drives containing data that is encrypted at rest falls on the hands of a malicious actor, they wont be able to access the data without access to the drive decryption keys.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#encrypting-data-at-rest-on-ceph-cluster-osd\">Encrypting Data at Rest on Ceph Cluster OSD<\/a><ul><li><a href=\"#what-is-the-possible-impact-of-encryption-on-ceph-performance\">What is the Possible Impact of Encryption on Ceph Performance?<\/a><\/li><li><a href=\"#install-ceph-storage-cluster\">Install Ceph Storage Cluster<\/a><\/li><li><a href=\"#add-and-encrypt-os-ds-on-ceph-cluster\">Add and Encrypt OSDs on Ceph Cluster<\/a><ul><li><a href=\"#add-and-encrypt-os-ds-from-the-ceph-dashboard\">Add and Encrypt OSDs from the Ceph Dashboard<\/a><\/li><li><a href=\"#use-osd-service-specification-to-enable-osd-encryption\">Use OSD Service Specification to Enable OSD Encryption<\/a><\/li><li><a href=\"#encrypt-os-ds-from-the-command-line-using-ceph-volume-command\">Encrypt OSDs from the Command Line using ceph-volume Command<\/a><\/li><\/ul><\/li><li><a href=\"#verifying-ceph-osd-encryption\">Verifying Ceph OSD Encryption<\/a><ul><li><a href=\"#use-blkid-or-lsblk-commands\">Use blkid or lsblk commands<\/a><\/li><li><a href=\"#use-dmsetup-command\">Use dmsetup command<\/a><\/li><li><a href=\"#check-device-metadata-using-ceph-volume-command\">Check device metadata using ceph-volume command<\/a><\/li><li><a href=\"#verify-drive-luks-information\">Verify Drive LUKS information<\/a><\/li><\/ul><\/li><li><a href=\"#obtaining-osd-encryption-passphrase\">Obtaining OSD Encryption Passphrase<\/a><\/li><li><a href=\"#conclusion\">Conclusion<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"encrypting-data-at-rest-on-ceph-cluster-osd\">Encrypting Data at Rest on Ceph Cluster OSD<\/h2>\n\n\n\n<p>To demonstrate how you can encrypt data that is written to Ceph OSD, follow along this blog post.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"what-is-the-possible-impact-of-encryption-on-ceph-performance\">What is the Possible Impact of Encryption on Ceph Performance?<\/h3>\n\n\n\n<p>Well, as much as you are trying to ensure that you maintain security and comply to some standards that requires data to be encrypted, is there any possible compromise on the performance of the Ceph with encryption on?<\/p>\n\n\n\n<p>Yes, this topic has been extensively tested by Ceph and the results published on this post, <a href=\"https:\/\/ceph.io\/en\/news\/blog\/2023\/ceph-encryption-performance\/#:~:text=On%2DDisk%20encryption%3A%20This%20is,BlueStore%20uses%20to%20store%20data.\" target=\"_blank\" rel=\"noreferrer noopener\">Ceph Reef Encryption Performance<\/a>. Read more before you can proceed.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-ceph-storage-cluster\">Install Ceph Storage Cluster<\/h3>\n\n\n\n<p>In our previous guide, we learnt how to install and setup Ceph storage cluster.<\/p>\n\n\n\n<p>Therefore, you can follow any of the following guides to install Ceph.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/?s=install+ceph\" target=\"_blank\" rel=\"noreferrer noopener\">How to install and setup Ceph Storage cluster<\/a><\/p>\n\n\n\n<p>You can stop at the point where you need to add the OSDs so that you can continue from the steps below to learn how to encrypt OSD while adding it to the Ceph cluster.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"add-and-encrypt-os-ds-on-ceph-cluster\">Add and Encrypt OSDs on Ceph Cluster<\/h3>\n\n\n\n<p>Our Ceph storage cluster is now running currently with no OSDs added.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1615\" height=\"839\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/ceph-cluster-dashboard.png?v=1711955870\" alt=\"ceph reef cluster dashboard\" class=\"wp-image-22024\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/ceph-cluster-dashboard.png?v=1711955870 1615w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/ceph-cluster-dashboard-768x399.png?v=1711955870 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/ceph-cluster-dashboard-1536x798.png?v=1711955870 1536w\" sizes=\"(max-width: 1615px) 100vw, 1615px\" \/><\/figure>\n\n\n\n<p>As you can see, there is 0 OSDs added.<\/p>\n\n\n\n<p>You can also confirm the same from the command line;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ceph -s<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>  cluster:\n    id:     9e515c86-ef6b-11ee-9075-131b22dab25f\n    health: HEALTH_WARN\n            <strong>OSD count 0 < osd_pool_default_size 3<\/strong>\n \n  services:\n    mon: 3 daemons, quorum node01,node02,node03 (age 7h)\n    mgr: node01.mfinxk(active, since 17h), standbys: node02.qcxdky\n    osd: 0 osds: 0 up, 0 in\n \n  data:\n    pools:   0 pools, 0 pgs\n    objects: 0 objects, 0 B\n    usage:   0 B used, 0 B \/ 0 B avail\n    pgs: \n<\/code><\/pre>\n\n\n\n<p>In our setup, we have three Ceph OSD nodes each with un-allocated 100G raw drives. See example drives on one of the Ceph OSD node.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>lsblk<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>NAME                      MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS\nvda                       252:0    0    25G  0 disk \n\u251c\u2500vda1                    252:1    0     1M  0 part \n\u251c\u2500vda2                    252:2    0     2G  0 part \/boot\n\u2514\u2500vda3                    252:3    0    23G  0 part \n  \u2514\u2500ubuntu--vg-ubuntu--lv 253:0    0    23G  0 lvm  \/\n<strong>vdb                       252:16   0   100G  0 disk <\/strong>\n<\/code><\/pre>\n\n\n\n<p><strong>LUKS<\/strong> and <strong>dm-crypt<\/strong> can be used in Ceph to encrypt block devices.<\/p>\n\n\n\n<p>According to <a href=\"https:\/\/docs.ceph.com\/en\/latest\/ceph-volume\/lvm\/encryption\/\" target=\"_blank\" rel=\"noreferrer noopener\">Ceph Encryption page<\/a>;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>Logical volumes can be encrypted using&nbsp;<code>dmcrypt<\/code>&nbsp;by specifying the&nbsp;<code>--dmcrypt<\/code>&nbsp;flag when creating OSDs<\/em>.<\/li>\n\n\n\n<li>Ceph currently uses LUKS (version 1) due to wide support by all Linux distros supported by Ceph.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"add-and-encrypt-os-ds-from-the-ceph-dashboard\">Add and Encrypt OSDs from the Ceph Dashboard<\/h4>\n\n\n\n<p>To add and encrypt Ceph OSD from the dashboard, first add OSD hosts to the cluster by navigating to the Dashboard and head over to <strong>Cluster &gt; Hosts &gt; Hosts List.<\/strong> Click <strong> +Add<\/strong> and follow the add host wizard to define the node hostname, IP address and the label.<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;uploadedSrc&quot;:&quot;https:\\\/\\\/kifarunix.com\\\/wp-content\\\/uploads\\\/2024\\\/04\\\/add-osd-node-ceph-dashboard.png&quot;,&quot;figureClassNames&quot;:&quot;wp-block-image size-full&quot;,&quot;figureStyles&quot;:null,&quot;imgClassNames&quot;:&quot;wp-image-22028&quot;,&quot;imgStyles&quot;:null,&quot;targetWidth&quot;:1608,&quot;targetHeight&quot;:575,&quot;scaleAttr&quot;:false,&quot;ariaLabel&quot;:&quot;Enlarge image: adding host to ceph cluster on dashboard&quot;,&quot;alt&quot;:&quot;adding host to ceph cluster on dashboard&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image size-full wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"1608\" height=\"575\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/add-osd-node-ceph-dashboard.png?v=1711959621\" alt=\"adding host to ceph cluster on dashboard\" class=\"wp-image-22028\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/add-osd-node-ceph-dashboard.png?v=1711959621 1608w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/add-osd-node-ceph-dashboard-768x275.png?v=1711959621 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/add-osd-node-ceph-dashboard-1536x549.png?v=1711959621 1536w\" sizes=\"(max-width: 1608px) 100vw, 1608px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge image: adding host to ceph cluster on dashboard\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on-async--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"context.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"context.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<p>Click <strong>Add Host<\/strong>. After a short while, the host will show up under the host lists;<\/p>\n\n\n\n<p>Once the host is up, you can proceed to add the OSD from <strong>Cluster &gt; OSDs &gt; OSDs List &gt; +Create<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1606\" height=\"405\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/ceph-add-osd.png?v=1711958502\" alt=\"\" class=\"wp-image-22026\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/ceph-add-osd.png?v=1711958502 1606w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/ceph-add-osd-768x194.png?v=1711958502 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/ceph-add-osd-1536x387.png?v=1711958502 1536w\" sizes=\"(max-width: 1606px) 100vw, 1606px\" \/><\/figure>\n\n\n\n<p>On the Create OSD screen:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>deployment options is automatically selected based on your node detected drive type.<\/li>\n\n\n\n<li>click advance mode drop down for more options such as being able to select or choose which drive to use for OSD on your node if it has multiple drives attached. Otherwise, all available un-used drives will be used for OSD.<\/li>\n\n\n\n<li>Click the <strong>Encryption<\/strong> check box to enable OSD encryption.<br><img loading=\"lazy\" decoding=\"async\" width=\"780\" height=\"319\" class=\"wp-image-22038\" style=\"width: 780px;\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/add-osd-node-ceph-dashboard-1.png\" alt=\"\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/add-osd-node-ceph-dashboard-1.png?v=1711963615 1608w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/add-osd-node-ceph-dashboard-1-768x314.png?v=1711963615 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/add-osd-node-ceph-dashboard-1-1536x628.png?v=1711963615 1536w\" sizes=\"(max-width: 780px) 100vw, 780px\" \/><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Click <strong>Create OSDs<\/strong> to create your encrypted OSD.<\/li>\n\n\n\n<li>After a short while, the OSD should now be added.<br><em><img loading=\"lazy\" decoding=\"async\" width=\"780\" height=\"181\" class=\"wp-image-22039\" style=\"width: 780px;\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/ceph-osd-added.png\" alt=\"\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/ceph-osd-added.png?v=1711963827 1610w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/ceph-osd-added-768x178.png?v=1711963827 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/ceph-osd-added-1536x356.png?v=1711963827 1536w\" sizes=\"(max-width: 780px) 100vw, 780px\" \/><\/em><\/li>\n\n\n\n<li>Click the drop down button to see more OSD details.<\/li>\n<\/ul>\n\n\n\n<p>If you had added multiple hosts with usable drives, those drives will be automatically added as OSDs and they will be automatically encrypted as well.<\/p>\n\n\n\n<p>Similarly, if you add any additional host, with drives that can be used as OSDs, then those drives will be automatically detected and used as OSDs. And of course, they will be encrypted as well!<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"use-osd-service-specification-to-enable-osd-encryption\">Use OSD Service Specification to Enable OSD Encryption<\/h4>\n\n\n\n<p>Let&#8217;s assume have added storage hosts to your cluster already;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ceph orch host ls<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>HOST    ADDR            LABELS        STATUS  \nnode01  192.168.122.97  _admin,mon01          \nnode02  192.168.122.98  mon02                 \nnode03  192.168.122.99  mon03                 \nnode04  192.168.122.200  osd01                 \nnode05  192.168.122.201  osd02                 \n5 hosts in cluster\n<\/code><\/pre>\n\n\n\n<p>Once you have the hosts in place, with drives that can be used as OSDs attached to the OSD nodes;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ceph orch device ls<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>HOST    PATH      TYPE  DEVICE ID   SIZE  AVAILABLE  REFRESHED  REJECT REASONS  \nnode04  \/dev\/vdb  hdd               100G  Yes        5s ago                     \nnode05  \/dev\/vdb  hdd               100G  Yes        5s ago \n<\/code><\/pre>\n\n\n\n<p>then proceed to add create new OSDs and encrypt them.<\/p>\n\n\n\n<p><a href=\"https:\/\/docs.ceph.com\/en\/latest\/cephadm\/services\/#service-specification\" target=\"_blank\" rel=\"noreferrer noopener\">OSD service specification<\/a> is file that defines the OSD drives configurations. This configuration file gives you the ability to either enable or disable OSD encryption.<\/p>\n\n\n\n<p>This is a sample OSD service specification (<em>Extracted from an already cluster with OSDs added<\/em>);<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ceph orch ls --service-type osd --export<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>service_type: osd\nservice_id: cost_capacity\nservice_name: osd.cost_capacity\nplacement:\n  host_pattern: '*'\nspec:\n  data_devices:\n    rotational: 1\n  encrypted: true\n  filter_logic: AND\n  objectstore: bluestore\n<\/code><\/pre>\n\n\n\n<p>So, what are the properties of OSD service specification:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>service_type<\/strong>: Specifies the type of Ceph service which can be any of the <code>mon<\/code>,&nbsp;<code>crash<\/code>,&nbsp;<code>mds<\/code>,&nbsp;<code>mgr<\/code>,&nbsp;<code>osd<\/code>&nbsp;or&nbsp;<code>rbd-mirror<\/code>, or a gateway (<code>nfs<\/code>&nbsp;or&nbsp;<code>rgw<\/code>), part of the monitoring stack (<code>alertmanager<\/code>,&nbsp;<code>grafana<\/code>,&nbsp;<code>node-exporter<\/code>&nbsp;or&nbsp;<code>prometheus<\/code>) or (<code>container<\/code>) for custom containers.<\/li>\n\n\n\n<li><strong>service_id<\/strong>: Unique name identifier of the service such as OSD deployment option as used in the example above. It is <strong>recommended<\/strong> that the OSD spec defines the service_id.<\/li>\n\n\n\n<li><strong>service_name<\/strong>: defines custom name of the service.<\/li>\n\n\n\n<li><strong>placement<\/strong>: define the hosts on which the OSDs need to be deployed. It can take any of the following options:\n<ul class=\"wp-block-list\">\n<li><strong>host_pattern<\/strong>:&nbsp;A host name pattern used to select hosts. &#8216;<strong>*&#8217;<\/strong> mean all hosts (<em><strong>including even those that will be added later<\/strong><\/em>), <strong>&#8220;host[1-3]&#8221;<\/strong> matches host1, host2, host3&#8230;<\/li>\n\n\n\n<li><strong>label<\/strong>:&nbsp;A label used in the hosts where OSD need to be deployed. <\/li>\n\n\n\n<li><strong>hosts<\/strong>:&nbsp;An explicit list of host names where OSDs needs to be deployed.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Spec section defines the OSD device properties;\n<ul class=\"wp-block-list\">\n<li><strong>data_devices<\/strong>: Define the devices to deploy OSD and the <a href=\"https:\/\/docs.ceph.com\/en\/latest\/cephadm\/services\/osd\/#filters\" target=\"_blank\" rel=\"noreferrer noopener\">attributes<\/a> of those devices. For example, rotational specifies whether drive is NVME\/SSD =0 or normal HDD=1.<\/li>\n\n\n\n<li><strong>encrypted<\/strong>: Specifies whether to encrypt the OSD drives with LUKS (<strong>true<\/strong>) or no (<strong>false<\/strong>).<\/li>\n\n\n\n<li><strong>filter_logic<\/strong>: defines the logic used to match disks with filters. The default value is \u2018AND\u2019.<\/li>\n\n\n\n<li><strong>objectstore<\/strong>: defines the Ceph storage backend, which is <strong>bluestore<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>You can define specs for different drives. Just separate the specifications from each using <strong>&#8212;<\/strong> in the yaml file.<\/p>\n\n\n\n<p>So you can create your own OSD specification file and apply to create OSDs based on your specifications.<\/p>\n\n\n\n<p>In this guide, we will use the specification above to create and encrypt our OSDs.<\/p>\n\n\n\n<p>So, let&#8217;s create a YAML file to put out OSD drives specification parameters.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>cat > osd-spec.yaml &lt;&lt; EOL\nservice_type: osd\nservice_id: cost_capacity\nservice_name: osd.cost_capacity\nplacement:\n  host_pattern: '*'\nspec:\n  data_devices:\n    rotational: 1\n  encrypted: true\n  filter_logic: AND\n  objectstore: bluestore\nEOL\n<\/code><\/pre>\n\n\n\n<p>Once you are ready to go, then use ceph command to apply the specifications into the cluster.<\/p>\n\n\n\n<p>Before you can write the changes, do a dry run;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ceph orch apply -i osd-spec.yaml --dry-run<\/code><\/pre>\n\n\n\n<p>When you execute the command first time, you will have to wait a little bit, <strong>Preview data is being generated.. Please re-run this command in a bit.<\/strong><\/p>\n\n\n\n<p>Then re-run the command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ceph orch apply -i osd-spec.yaml --dry-run<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>WARNING! Dry-Runs are snapshots of a certain point in time and are bound \nto the current inventory setup. If any of these conditions change, the \npreview will be invalid. Please make sure to have a minimal \ntimeframe between planning and applying the specs.\n####################\nSERVICESPEC PREVIEWS\n####################\n+---------+------+--------+-------------+\n|SERVICE  |NAME  |ADD_TO  |REMOVE_FROM  |\n+---------+------+--------+-------------+\n+---------+------+--------+-------------+\n################\nOSDSPEC PREVIEWS\n################\n+---------+---------------+--------+----------+----+-----+\n|SERVICE  |NAME           |HOST    |DATA      |DB  |WAL  |\n+---------+---------------+--------+----------+----+-----+\n|osd      |cost_capacity  |node04  |\/dev\/vdb  |-   |-    |\n|osd      |cost_capacity  |node05  |\/dev\/vdb  |-   |-    |\n+---------+---------------+--------+----------+----+-----+\n<\/code><\/pre>\n\n\n\n<p>If all is well, write the changes!<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ceph orch apply -i osd-spec.yaml<\/code><\/pre>\n\n\n\n<p>You can also be able to apply the specifications from the standard input without using the file;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>cat &lt;&lt; EOL | sudo ceph orch apply -i -\nservice_type: osd\nservice_id: cost_capacity\nservice_name: osd.cost_capacity\nplacement:\n  host_pattern: '*'\nspec:\n  data_devices:\n    rotational: 1\n  encrypted: true\n  filter_logic: AND\n  objectstore: bluestore\nEOL\n<\/code><\/pre>\n\n\n\n<p>Check the OSD status;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ceph osd status<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>ID  HOST     USED  AVAIL  WR OPS  WR DATA  RD OPS  RD DATA  STATE      \n 0  node04  26.2M  99.9G      0        0       0        0   exists,up  \n 1  node05   426M  99.5G      0        0       0        0   exists,up\n<\/code><\/pre>\n\n\n\n<p>Check Ceph status;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ceph -s<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>  cluster:\n    id:     ad7f576a-f1de-11ee-b470-fb0098ab30ad\n    health: HEALTH_WARN\n            OSD count 2 < osd_pool_default_size 3\n \n  services:\n    mon: 5 daemons, quorum node01,node02,node03,node05,node04 (age 5h)\n    mgr: node02.ptcclf(active, since 5h), standbys: node04.oenghv\n    <strong>osd: 2 osds: 2 up (since 58s), 2 in (since 87s)<\/strong>\n \n  data:\n    pools:   0 pools, 0 pgs\n    objects: 0 objects, 0 B\n    usage:   452 MiB used, 200 GiB \/ 200 GiB avail\n    pgs:\n<\/code><\/pre>\n\n\n\n<p>Status from Dashboard;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1603\" height=\"446\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/ceph-osds.png?v=1712249656\" alt=\"\" class=\"wp-image-22064\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/ceph-osds.png?v=1712249656 1603w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/ceph-osds-768x214.png?v=1712249656 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/ceph-osds-1536x427.png?v=1712249656 1536w\" sizes=\"(max-width: 1603px) 100vw, 1603px\" \/><\/figure>\n\n\n\n<p>From command line, you can add additional OSD nodes and label it.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ceph orch host add node06 192.168.122.202 osd03<\/code><\/pre>\n\n\n\n<p>Ceph will the scan the host for the availability of the un-allocated drives and set that up as OSD. It also enables encryption at the same time since you have already enabled OSD encryption, in cluster wide.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ceph -s<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>  cluster:\n    id:     ad7f576a-f1de-11ee-b470-fb0098ab30ad\n    health: HEALTH_OK\n \n  services:\n    mon: 5 daemons, quorum node01,node02,node03,node05,node04 (age 6h)\n    mgr: node02.ptcclf(active, since 6h), standbys: node04.oenghv\n    osd: 3 osds: 2 up (since 20m), 3 in (since 10s)\n \n  data:\n    pools:   0 pools, 0 pgs\n    objects: 0 objects, 0 B\n    usage:   452 MiB used, 200 GiB \/ 200 GiB avail\n    pgs:\n<\/code><\/pre>\n\n\n\n<p>We have added three OSD nodes;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ceph orch host ls<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>HOST    ADDR             LABELS              STATUS  \nnode01  192.168.122.97   _admin,mon01,mgr01          \nnode02  192.168.122.98   mon02,mgr02                 \nnode03  192.168.122.99   mon03                       \nnode04  192.168.122.200  osd01                       \nnode05  192.168.122.201  osd02                       \nnode06  192.168.122.202  osd03                       \n6 hosts in cluster\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"encrypt-os-ds-from-the-command-line-using-ceph-volume-command\">Encrypt OSDs from the Command Line using ceph-volume Command<\/h4>\n\n\n\n<p>Ceph provides yet another command that can be used to manually manage various OSD operations such as preparing, activating, creating, deleting, scanning OSD drives on the OSD nodes. <strong>ceph-volume<\/strong> can be used to enable encryption for the underlying OSD devices when they are being added into the Ceph storage cluster. Read more on the <a href=\"https:\/\/docs.ceph.com\/en\/latest\/man\/8\/ceph-volume\/\" target=\"_blank\" rel=\"noreferrer noopener\">ceph-volume man page\/documentation<\/a>.<\/p>\n\n\n\n<p>The command is not usually installed by default. Therefore, on all OSD nodes, install the <strong><code>ceph-volume<\/code><\/strong> package to get the ceph-volume command.<\/p>\n\n\n\n<p>(<em>We are using Ubuntu OS on our OSD nodes, refer to documentation on how to install ceph-volume for other Linux distros<\/em>)<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo su -<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>wget -q -O- 'https:\/\/download.ceph.com\/keys\/release.asc' | \\\ngpg --dearmor -o \/etc\/apt\/trusted.gpg.d\/cephadm.gpg<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>echo deb https:\/\/download.ceph.com\/debian-reef\/ $(lsb_release -sc) main \\\n&gt; \/etc\/apt\/sources.list.d\/cephadm.list<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>apt update<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install ceph-volume<\/code><\/pre>\n\n\n\n<p>You can even check the help page;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ceph-volume -h<\/code><\/pre>\n\n\n\n<p>Once the package is in place:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>proceed to define how the OSD client nodes will connect to the Ceph cluster monitor nodes. This can be achieved by editing or creating (if it does not exist) the <strong>ceph.conf<\/strong> file on the OSD client and defining the monitor nodes addresses.<\/li>\n\n\n\n<li>Similarly, in order for the ceph-volume client to bootstrap the OSD on the Ceph cluster, it requires the client OSD boostrap keys installed on the OSD nodes. The key is used to authenticate and authorize the OSD ceph client to boostrap OSD. You can place the key in the ceph.conf file in the client node.<\/li>\n<\/ul>\n\n\n\n<p>Sample config;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo cat \/etc\/ceph\/ceph.conf<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code># minimal ceph.conf for 8a7f658e-f3f5-11ee-9a19-4d1575fdfd98\n[global]\n\tfsid = 8a7f658e-f3f5-11ee-9a19-4d1575fdfd98\n\tmon_host = [v2:192.168.122.78:3300\/0,v1:192.168.122.78:6789\/0] [v2:192.168.122.79:3300\/0,v1:192.168.122.79:6789\/0] [v2:192.168.122.80:3300\/0,v1:192.168.122.80:6789\/0] [v2:192.168.122.90:3300\/0,v1:192.168.122.90:6789\/0] [v2:192.168.122.91:3300\/0,v1:192.168.122.91:6789\/0]\n<\/code><\/pre>\n\n\n\n<p>Therefore, run this command on the admin node to copy the ceph.conf into the OSD nodes.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ceph config generate-minimal-conf | ssh root@node03 '&#91; ! -d \/etc\/ceph ] &amp;&amp; mkdir -p \/etc\/ceph; cat &gt; \/etc\/ceph\/ceph.conf'<\/code><\/pre>\n\n\n\n<p>This installs ceph.conf on node03, which is one of my OSD nodes. Do the same on other OSD nodes.<\/p>\n\n\n\n<p>Append the Ceph client OSD bootstrap authentication key, <strong>client.bootstrap-osd<\/strong>, to the ceph.conf file copied above.<\/p>\n\n\n\n<p>You can confirm presence of this key on the Ceph admin node;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ceph auth list<\/code><\/pre>\n\n\n\n<p>You can check the key details by running;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ceph auth get client.bootstrap-osd<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>[client.bootstrap-osd]\n\tkey = AQCWERFmBvnRFxAANvFxM+D\/QKGZwi40R91uWQ==\n\tcaps mon = \"allow profile bootstrap-osd\"\n<\/code><\/pre>\n\n\n\n<p>So, copy the bootstrap key and append it to ceph.conf file on the OSD client node.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ceph auth get client.bootstrap-osd | ssh root@node03 '&#91; ! -d \/etc\/ceph ] &amp;&amp; mkdir -p \/etc\/ceph; cat &gt;&gt; \/etc\/ceph\/ceph.conf'<\/code><\/pre>\n\n\n\n<p>This is how the OSD client Ceph configuration now looks like.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>root@node03:~# cat \/etc\/ceph\/ceph.conf<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code># minimal ceph.conf for 8a7f658e-f3f5-11ee-9a19-4d1575fdfd98\n[global]\n\tfsid = 8a7f658e-f3f5-11ee-9a19-4d1575fdfd98\n\tmon_host = [v2:192.168.122.78:3300\/0,v1:192.168.122.78:6789\/0] [v2:192.168.122.79:3300\/0,v1:192.168.122.79:6789\/0] [v2:192.168.122.90:3300\/0,v1:192.168.122.90:6789\/0] [v2:192.168.122.91:3300\/0,v1:192.168.122.91:6789\/0]\n[client.bootstrap-osd]\n\tkey = AQCWERFmBvnRFxAANvFxM+D\/QKGZwi40R91uWQ==\n\tcaps mon = \"allow profile bootstrap-osd\"\n<\/code><\/pre>\n\n\n\n<p>Now that the Ceph OSD client authentication to the Ceph cluster is sorted, proceed to create and OSD and enable LUKs encryption using ceph-volume command.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>lsblk<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>NAME                      MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS\nvda                       252:0    0   50G  0 disk \n\u251c\u2500vda1                    252:1    0    1M  0 part \n\u251c\u2500vda2                    252:2    0    2G  0 part \/boot\n\u2514\u2500vda3                    252:3    0   48G  0 part \n  \u2514\u2500ubuntu--vg-ubuntu--lv 253:0    0   48G  0 lvm  \/\nvdb                       252:16   0  100G  0 disk \n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>ceph-volume lvm create --bluestore --data \/dev\/vdb --dmcrypt<\/code><\/pre>\n\n\n\n<p>If the command proceeded successfully, you should see;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>...\nRunning command: \/usr\/bin\/systemctl enable --runtime ceph-osd@0\nRunning command: \/usr\/bin\/systemctl start ceph-osd@0\n--> ceph-volume lvm activate successful for osd ID: 0\n--> ceph-volume lvm create successful for: \/dev\/vdb\n<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote has-medium-font-size is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Note that the Ceph status may show OSDs added via ceph-volume as stray. This is because in a cephadm managed cluster, then the cluster expects the OSDs to be added via cephadm command.<\/p>\n\n\n\n<p>This should confirm that the OSD is fine and works as expected despite the stray alert.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ceph osd status<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>ID  HOST     USED  AVAIL  WR OPS  WR DATA  RD OPS  RD DATA  STATE      \n 0  node03  27.3M  99.9G      0        0       0        0   exists,up \n<\/code><\/pre>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"verifying-ceph-osd-encryption\">Verifying Ceph OSD Encryption<\/h3>\n\n\n\n<p>Will that said and done, how can you actually verify and confirm that your OSDs are indeed encrypted?<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"use-blkid-or-lsblk-commands\">Use <strong>blkid<\/strong> or <strong>lsblk<\/strong> commands<\/h4>\n\n\n\n<p>As you are already aware, Ceph uses <strong>LUKS<\/strong> to encrypt devices. LUKS utilizes <strong>dm-crypt<\/strong> (device mapper crypt) to perform the actual encryption and decryption operations.<\/p>\n\n\n\n<p>Therefore, to check if your OSD drives have been encrypted, you can use<strong> lsblk<\/strong> or <strong>blkid<\/strong> commands to check if the <strong>type<\/strong> device has been set to <strong>crypt<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>lsblk<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>vda                                                                                                   252:0    0    25G  0 disk  \n\u251c\u2500vda1                                                                                                252:1    0     1M  0 part  \n\u251c\u2500vda2                                                                                                252:2    0     2G  0 part  \/boot\n\u2514\u2500vda3                                                                                                252:3    0    23G  0 part  \n  \u2514\u2500ubuntu--vg-ubuntu--lv                                                                             253:0    0    23G  0 lvm   \/\n<strong>vdb                                                                                                   252:16   0   100G  0 disk  \n\u2514\u2500ceph--77ed4102--9aa3--46bb--a15c--ea153402a145-osd--block--032e3d0c--852a--47d7--9d8e--cb5edb5e9385 253:1    0   100G  0 lvm   \n  \u2514\u2500Lf51dM-9AjA-VXcr-4Xzh-fg5V-NMC5-OtWm2G                                                            253:2    0   100G  0 crypt<\/strong>\n<\/code><\/pre>\n\n\n\n<p>Check with blkid;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>blkid<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\/dev\/mapper\/ubuntu--vg-ubuntu--lv: UUID=\"3a831e3a-ad80-41f3-8522-a4dd0339a313\" BLOCK_SIZE=\"4096\" TYPE=\"ext4\"\n\/dev\/vda2: UUID=\"3fe75a77-1468-4afd-8cc0-16c918998504\" BLOCK_SIZE=\"4096\" TYPE=\"ext4\" PARTUUID=\"516263b8-9f12-4606-97ac-00e662aa43ba\"\n\/dev\/vda3: UUID=\"6IXVle-syS2-5NBM-pSeG-2lmN-Xqds-3OVWmn\" TYPE=\"LVM2_member\" PARTUUID=\"6bb1ea38-2b0e-40f3-917c-6c0f35aed4ab\"\n<strong>\/dev\/mapper\/ceph--77ed4102--9aa3--46bb--a15c--ea153402a145-osd--block--032e3d0c--852a--47d7--9d8e--cb5edb5e9385: UUID=\"533c9923-0d05-4728-b000-98e6073d352a\" TYPE=\"crypto_LUKS\"\n<\/strong>\/dev\/vdb: UUID=\"hkpkHM-XSOw-8zOC-oOgp-1vpe-6FP5-8k02Cs\" TYPE=\"LVM2_member\"\n\/dev\/mapper\/Lf51dM-9AjA-VXcr-4Xzh-fg5V-NMC5-OtWm2G: TYPE=\"ceph_bluestore\"\n\/dev\/vda1: PARTUUID=\"46e914b8-4bad-4a15-a717-05f331e1348a\"\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"use-dmsetup-command\">Use dmsetup command<\/h4>\n\n\n\n<p>You can use dmsetup command to check device info;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo dmsetup info<\/code><\/pre>\n\n\n\n<p>LUKS encrypted devices should have &#8220;crypt&#8221; on UUID.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Name:              Lf51dM-9AjA-VXcr-4Xzh-fg5V-NMC5-OtWm2G\nState:             ACTIVE\nRead Ahead:        256\nTables present:    LIVE\nOpen count:        24\nEvent number:      0\nMajor, minor:      253, 2\nNumber of targets: 1\n<strong>UUID: CRYPT-LUKS2-533c99230d054728b00098e6073d352a-Lf51dM-9AjA-VXcr-4Xzh-fg5V-NMC5-OtWm2G\n<\/strong>\nName:              ceph--77ed4102--9aa3--46bb--a15c--ea153402a145-osd--block--032e3d0c--852a--47d7--9d8e--cb5edb5e9385\nState:             ACTIVE\nRead Ahead:        256\nTables present:    LIVE\nOpen count:        1\nEvent number:      0\nMajor, minor:      253, 1\nNumber of targets: 1\nUUID: LVM-nKdTOHbx49cPGV0oGwan8UHxWCnIUzPtLf51dM9AjAVXcr4Xzhfg5VNMC5OtWm2G\n\nName:              ubuntu--vg-ubuntu--lv\nState:             ACTIVE\nRead Ahead:        256\nTables present:    LIVE\nOpen count:        1\nEvent number:      0\nMajor, minor:      253, 0\nNumber of targets: 1\nUUID: LVM-5FgBZu71fPGdhHYjBHMuBi3fkNg8brDb68qG8z9MtNnVnUjeG1Bg4EF8rfHc73Y8\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"check-device-metadata-using-ceph-volume-command\">Check device metadata using ceph-volume command<\/h4>\n\n\n\n<p>Next, check the device metadata and look for the keyword, <strong>encrypted<\/strong>. If the drive is encrypted, the value of this keyword should be <strong>1<\/strong>, otherwise it is <strong>0<\/strong>.<\/p>\n\n\n\n<p>Also, remember, as much as we raw devices for OSD, Ceph formatted them and converted them info LVM.<\/p>\n\n\n\n<p>See example from one of the OSD nodes;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ceph-volume lvm list<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>====== osd.1 =======\n\n  [block]       \/dev\/ceph-77ed4102-9aa3-46bb-a15c-ea153402a145\/osd-block-032e3d0c-852a-47d7-9d8e-cb5edb5e9385\n\n      block device              \/dev\/ceph-77ed4102-9aa3-46bb-a15c-ea153402a145\/osd-block-032e3d0c-852a-47d7-9d8e-cb5edb5e9385\n      block uuid                Lf51dM-9AjA-VXcr-4Xzh-fg5V-NMC5-OtWm2G\n      cephx lockbox secret      AQAkggpmGHmONhAAnX5cWOks3Lr1ULJB8BnWGg==\n      cluster fsid              9e515c86-ef6b-11ee-9075-131b22dab25f\n      cluster name              ceph\n      crush device class        \n      encrypted                 1\n      osd fsid                  032e3d0c-852a-47d7-9d8e-cb5edb5e9385\n      osd id                    1\n      osdspec affinity          cost_capacity\n      type                      block\n      vdo                       0\n      devices                   \/dev\/vdb\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>  encrypted                 1<\/strong><\/code><\/pre>\n\n\n\n<p>That confirms OSD drive encryption.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"verify-drive-luks-information\">Verify Drive LUKS information<\/h4>\n\n\n\n<p>Now, that you have verified encryption is on, you can try to dump the drive information.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cryptsetup luksDump \/dev\/ceph-77ed4102-9aa3-46bb-a15c-ea153402a145\/osd-block-032e3d0c-852a-47d7-9d8e-cb5edb5e9385<\/code><\/pre>\n\n\n\n<p>From the ceph-volume list command above, you can get the block device path.<\/p>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>LUKS header information\nVersion:       \t2\nEpoch:         \t3\nMetadata area: \t16384 [bytes]\nKeyslots area: \t16744448 [bytes]\nUUID:          \t533c9923-0d05-4728-b000-98e6073d352a\nLabel:         \t(no label)\nSubsystem:     \t(no subsystem)\nFlags:       \t(no flags)\n\nData segments:\n  0: crypt\n\toffset: 16777216 [bytes]\n\tlength: (whole device)\n\tcipher: aes-xts-plain64\n\tsector: 512 [bytes]\n\nKeyslots:\n  0: luks2\n\tKey:        512 bits\n\tPriority:   normal\n\tCipher:     aes-xts-plain64\n\tCipher key: 512 bits\n\tPBKDF:      argon2i\n\tTime cost:  4\n\tMemory:     1048576\n\tThreads:    2\n\tSalt:       6c 4b 0b a7 d3 bd d0 7e af 83 3a a2 83 b1 4f 83 \n\t            a3 07 38 06 16 dd 6b 2e cf 88 64 a1 18 7d a0 42 \n\tAF stripes: 4000\n\tAF hash:    sha256\n\tArea offset:32768 [bytes]\n\tArea length:258048 [bytes]\n\tDigest ID:  0\nTokens:\nDigests:\n  0: pbkdf2\n\tHash:       sha256\n\tIterations: 163840\n\tSalt:       6b 51 27 28 10 4a ab 9c 0a 96 01 dd cc 4a 6e 73 \n\t            fc ce 27 bd 97 69 cd 5a 67 14 a0 94 49 aa a1 12 \n\tDigest:     81 25 76 0e a6 df e0 15 55 bc f5 15 62 db b2 0b \n\t            f2 9a 35 84 f8 46 4a fc cd ac f5 0c 19 a9 54 6e\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"obtaining-osd-encryption-passphrase\">Obtaining OSD Encryption Passphrase<\/h3>\n\n\n\n<p>Now that you have confirmed that the OSDs are encrypted with LUKS, where does Ceph store the OSD LUKS encryption passphrase?<\/p>\n\n\n\n<p>In Ceph, OSD LUKS encryption keys are stored in the Ceph monitor nodes keyring as <strong>dm-crypt<\/strong> keys.<\/p>\n\n\n\n<p>You can check the same from the authentication and capabilities using the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ceph auth list<\/code><\/pre>\n\n\n\n<p>Look for keys like <strong>client.osd-lockbox.$OSD_UUID<\/strong>.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>client.osd-lockbox.011bb406-c3f1-42ed-b614-0ea889c93956\n\tkey: AQAgfgpmipDxMBAAr1Y8vrS\/fF6wQwV1s3x\/Qg==\n\tcaps: [mon] allow command \"config-key get\" with key=\"dm-crypt\/osd\/011bb406-c3f1-42ed-b614-0ea889c93956\/luks\"\nclient.osd-lockbox.032e3d0c-852a-47d7-9d8e-cb5edb5e9385\n\tkey: AQAkggpmGHmONhAAnX5cWOks3Lr1ULJB8BnWGg==\n\tcaps: [mon] allow command \"config-key get\" with key=\"dm-crypt\/osd\/032e3d0c-852a-47d7-9d8e-cb5edb5e9385\/luks\"\nclient.osd-lockbox.a8df6061-c22b-452f-882b-01fbe7f42d93\n\tkey: AQCOiQpmtc6xIhAArd2TL\/Oypzc1MTqA0ShIQQ==\n\tcaps: [mon] allow command \"config-key get\" with key=\"dm-crypt\/osd\/a8df6061-c22b-452f-882b-01fbe7f42d93\/luks\"\n<\/code><\/pre>\n\n\n\n<p>The format of the key\/value is <strong>dm-crypt\/osd\/$OSD_UUID\/luks<\/strong>.<\/p>\n\n\n\n<p>You can get the OSD UUID using the <strong>ceph-volume<\/strong> command on the OSD node.<\/p>\n\n\n\n<p>For example, on our node05 OSD;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ceph-volume lvm list | grep fsid<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>      cluster fsid              9e515c86-ef6b-11ee-9075-131b22dab25f\n      osd fsid                  032e3d0c-852a-47d7-9d8e-cb5edb5e9385\n<\/code><\/pre>\n\n\n\n<p>So, osd fsid is what is in they keyring above. Each encrypted OSD has it owns LUKS key.<\/p>\n\n\n\n<p>To get more details about the OSD LUKS key, run the command below on the ceph admin node.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ceph config-key get &lt;key&gt;<\/code><\/pre>\n\n\n\n<p>To get the details of node05 OSD key, for example;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo ceph config-key get dm-crypt\/osd\/032e3d0c-852a-47d7-9d8e-cb5edb5e9385\/luks<\/code><\/pre>\n\n\n\n<p>Sample passphrase;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>rNcd0xk9vZpyUAxcRDpgB9bEW25nEhm4yEbncXAoHIy5jIdB4f6VitJTWbCWbww5dtHzkCZoeGyRa4F+gYFSpH+beNWnKW0PS7QZ5hRpfLD0f+01PS44tPeIKjWlhsh6+mwFUTmi3o7HUUprIqFtcRzcHTIzhG9V5OXXIfF09js=<\/code><\/pre>\n\n\n\n<p>Test the passphrase on the OSD using cryptsetup command. The key above is for our Node05 OSD drive.<\/p>\n\n\n\n<p>So, let&#8217;s verify!<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo cryptsetup luksOpen --test-passphrase \/dev\/ceph-77ed4102-9aa3-46bb-a15c-ea153402a145\/osd-block-032e3d0c-852a-47d7-9d8e-cb5edb5e9385<\/code><\/pre>\n\n\n\n<p>Prompt for passphrase!<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Enter passphrase for \/dev\/ceph-77ed4102-9aa3-46bb-a15c-ea153402a145\/osd-block-032e3d0c-852a-47d7-9d8e-cb5edb5e9385: &lt;paste the extracted base64 code above&gt;<\/code><\/pre>\n\n\n\n<p>You can even try to mount the drive on live Ubuntu or any other live OS.<\/p>\n\n\n\n<p>See our live Ubuntu ISO trying to mount the encrypted OSD drive. If you have the right key, then open the LUKS device and mount.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1019\" height=\"766\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/mounting-OSD-drive-on-live-ISO.png?v=1711981328\" alt=\"\" class=\"wp-image-22047\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/mounting-OSD-drive-on-live-ISO.png?v=1711981328 1019w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/04\/mounting-OSD-drive-on-live-ISO-768x577.png?v=1711981328 768w\" sizes=\"(max-width: 1019px) 100vw, 1019px\" \/><\/figure>\n\n\n\n<p>And voila! that is it.<\/p>\n\n\n\n<p>You can then check further how to mount the Ceph bluestore filesystem!<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"conclusion\">Conclusion<\/h3>\n\n\n\n<p>That concludes our guide! So, you need to ensure a restricted access to the Ceph cluster at all cost!<\/p>\n\n\n\n<p>Read more on <a href=\"https:\/\/docs.ceph.com\/en\/latest\/ceph-volume\/lvm\/encryption\/\" target=\"_blank\" rel=\"noreferrer noopener\">Ceph Encryption<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to encrypt data at rest on Ceph Cluster OSD. Current release versions of Ceph now support data encryption<\/p>\n","protected":false},"author":10,"featured_media":22049,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[39,1338,159,121,34],"tags":[7435,7433,7434],"class_list":["post-22023","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-storage","category-ceph","category-encryption","category-howtos","category-security","tag-ceph-osd-luks","tag-encrypt-osd-drive-with-luks","tag-obtain-osd-luks-passphrase","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/22023"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=22023"}],"version-history":[{"count":18,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/22023\/revisions"}],"predecessor-version":[{"id":22091,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/22023\/revisions\/22091"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/22049"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=22023"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=22023"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=22023"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}