Whamcloud Community JIRA

Whamcloud Community JIRA https://jira.whamcloud.com This file is an XML representation of an issue en-us

9.4.14

940014

05-12-2023

[LU-15582] RFI for lustre encryption https://jira.whamcloud.com/browse/LU-15582 Lustre <p>We are running a lustre cluster and have been requested to determine if communications between clients and servers is encrypted. Requesting assistance in determining with if our client and servers lustre communications is encrypted. </p> RHEL 7 LU-15582

RFI for lustre encryption

Story Major Open Unresolved Sebastien Buisson Ryan Seal Tue, 22 Feb 2022 17:59:34 +0000 Mon, 28 Feb 2022 12:46:30 +0000 Lustre 2.12.8 0 3 <p>Sébastien</p> <p>Could you please talk to the options in this area, both in 2.12.x and more current releases</p> <p>Thanks</p> <p>Peter</p> <p>Hi Ryan,</p> <p>In Lustre 2.12, you have two options to get the client/server communications encrypted:</p> <ul> <li>you can configure Kerberos for Lustre, with the <tt>krb5p</tt> flavor. It ensures privacy of both RPC messages and bulk data. Please refer to the Lustre documentation for full details, at <a href="https://doc.lustre.org/lustre_manual.xhtml#managingSecurity.kerberos" class="external-link" target="_blank" rel="nofollow noopener">https://doc.lustre.org/lustre_manual.xhtml#managingSecurity.kerberos</a></li> <li>you can make use of the Shared-Secret Key (SSK) feature, which provides privacy of both RPC messages and bulk data when the <tt>skpi</tt> flavor is selected. For full details, please refer to <a href="https://doc.lustre.org/lustre_manual.xhtml#lustressk" class="external-link" target="_blank" rel="nofollow noopener">https://doc.lustre.org/lustre_manual.xhtml#lustressk</a>.</li> </ul> <p>In Lustre 2.14/2.15, you get one more option thanks to the client-side encryption feature. Its purpose is to protect data at rest, but as it is implemented on Lustre client side, most of the traffic between clients and servers gets encrypted when accessing an encrypted directory. Please note that some information remains unencrypted even for encrypted files, such as timestamps, access rights, file owner, extended attributes, but depending on your use case it might be fine.<br/> The documentation for client-side encryption is available here:<br/> <a href="https://doc.lustre.org/lustre_manual.xhtml#managingSecurity.clientencryption" class="external-link" target="_blank" rel="nofollow noopener">https://doc.lustre.org/lustre_manual.xhtml#managingSecurity.clientencryption</a></p> <p>Please let me know if you need more information.<br/> Cheers,<br/> Sebastien.</p> Development Rank 1|i02j0v: Rank (Obsolete) 9223372036854775807