Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-12275

Client-side file data encryption

    XMLWordPrintable

Details

    • New Feature
    • Resolution: Fixed
    • Critical
    • Lustre 2.14.0
    • Lustre 2.14.0
    • 9223372036854775807

    Description

      This ticket is a place-holder to describe work to be done for client-side encryption.

      The high-level requirements are the following:

      • encrypt file content
      • encrypt file name
      • have a master key for encryption
        • per-file encryption key derived from master key
        • file data is no longer accessible after file is deleted
      • able to change the user key without re-encrypting files
      • deny access to encrypted data when master key is removed from memory on the client
      • work in "batch scheduler" mode

      We are proposing to address these requirements by:

      So the workflow would be the following:

      • applications see clear text
      • data is encrypted before being sent to servers
        • then remain untouched
      • data is decrypted upon receipt from servers
        • untouched before that
      • servers only see encrypted data
        • but do not need to be aware of it
      • only client nodes have access to encryption keys

      Further details will be added as the feature design makes progress.

      Attachments

        1. lustre_encryption_access_semantics.txt
          6 kB
          Sebastien Buisson
        2. lustre_encryption_key_hierarchy.txt
          5 kB
          Sebastien Buisson
        3. lustre_encryption_modes_usage.txt
          4 kB
          Sebastien Buisson
        4. lustre_encryption_threat_model.txt
          7 kB
          Sebastien Buisson

        Issue Links

          Activity

            People

              sebastien Sebastien Buisson
              sebastien Sebastien Buisson
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: