Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-12275

Client-side file data encryption

    XMLWordPrintable

Details

    • New Feature
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • Lustre 2.14.0
    • Lustre 2.14.0
    • 9223372036854775807

    Description

      This ticket is a place-holder to describe work to be done for client-side encryption.

      The high-level requirements are the following:

      • encrypt file content
      • encrypt file name
      • have a master key for encryption
        • per-file encryption key derived from master key
        • file data is no longer accessible after file is deleted
      • able to change the user key without re-encrypting files
      • deny access to encrypted data when master key is removed from memory on the client
      • work in "batch scheduler" mode

      We are proposing to address these requirements by:

      So the workflow would be the following:

      • applications see clear text
      • data is encrypted before being sent to servers
        • then remain untouched
      • data is decrypted upon receipt from servers
        • untouched before that
      • servers only see encrypted data
        • but do not need to be aware of it
      • only client nodes have access to encryption keys

      Further details will be added as the feature design makes progress.

      Attachments

        Issue Links

          Activity

            People

              sebastien Sebastien Buisson
              sebastien Sebastien Buisson
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: