Enable full disk encryption in MicroCeph¶
Full disk encryption (FDE) in MicroCeph allows operating encrypted OSDs in a MicroCeph cluster. See the FDE explanation to learn more about FDE protection and its limitations.
Prerequisites¶
To use FDE, the following prerequisites must be met:
The installed snapd daemon version must be >= 2.59.1
The
dm-cryptkernel module must be available. Note that some cloud-optimised kernels do not ship dm-crypt by default. Check by runningsudo modinfo dm-cryptThe snap dm-crypt plug has to be connected, and
microceph.daemonsubsequently restarted:sudo snap connect microceph:dm-crypt sudo snap restart microceph.daemon
Enable FDE¶
FDE for OSDs is activated by passing the optional --encrypt flag when adding disks:
sudo microceph disk add /dev/sdx --wipe --encrypt
Note that there is no facility to encrypt an OSD that is already part of the cluster. To enable encryption you will have to take the OSD disk out of the cluster, ensure data is replicated and the cluster converged and is healthy, and then re-introduce the OSD with encryption.