Data at Rest Encryption

Description

OpenIO supports data at rest Encryption with keys provided by customers in each request fully compatible with Amazon S3’s implementation of server-side encryption.

Prerequisites

In this guide we suppose you have an OpenIO SDS namespace that is ready to use, in version 5.0.0.0c0.

Installation

No specific installation is required, data at rest encryption is managed at the S3 gateway level.

Configuration

To enable data at rest encryption, you must edit the gateway configuration file (/etc/oio/sds/[NS]/oioswift-X/proxy-server.conf):

  • The keymaster and encryption middlewares must be set to the pipeline
  • The keymaster and encryption filters must be added
  • The keymaster middleware requires a root secret, which must be the base64 encoding of at least 32 bytes.

Configuration using ansible

This part of the documentation explains how to enable data at rest encryption using ansible.

First, add the following configuration in the gateway group_vars configuration file (oiosds/products/sds/group_vars/oioswift.yml):

oioswift.yml
...
openio_oioswift_pipeline:
  - catch_errors
  - gatekeeper
  - healthcheck
  - proxy-logging
  - cache
  - bulk
  - tempurl
  - proxy-logging
  - swift3
  - tempauth
  - proxy-logging
  - copy
  - container-quotas
  - account-quotas
  - slo
  - dlo
  - versioned_writes
  - keymaster
  - encryption
  - proxy-logging
  - proxy-server

openio_oioswift_filter_keymaster:
  use: "egg:oioswift#keymaster"
  encryption_root_secret: TmV4dC1HZW4gT2JqZWN0IFN0b3JhZ2UgJiBTZXJ2ZXJsZXNzIENvbXB1dGluZwo=

openio_oioswift_filter_encryption:
  use: "egg:oioswift#encryption"

...

Run the following command to update configuration and restart your gateways:

# ansible-playbook -i inventory.ini playbooks/oioswift.yml

Manual configuration

This part of the documentation explains how to enable data at rest encryption manually.

First, add the following configuration in the gateway configuration file (/etc/oio/sds/[NS]/oioswift-X/proxy-server.conf):

proxy-server.conf
...
[pipeline:main]
pipeline = catch_errors gatekeeper proxy-logging cache swift3 tempauth copy slo versioned_writes keymaster encryption proxy-logging proxy-server
[filter:keymaster]
use = egg:oioswift#keymaster
encryption_root_secret = TmV4dC1HZW4gT2JqZWN0IFN0b3JhZ2UgJiBTZXJ2ZXJsZXNzIENvbXB1dGluZwo=

[filter:encryption]
use = egg:oioswift#encryption
...

Then, to make data at rest encryption available, you must reload the configuration and restart the service

# gridinit_cmd reload
# gridinit_cmd restart OPENIO-oioswift-0

Please note that you must update all the gateway instances of your cluster.

Check sample example

Here are some commands to check that encryption is correctly configured, using AWS S3 command line client:

# create a bucket
# aws --endpoint-url http://10.0.0.80:6007 --no-verify-ssl s3api create-bucket --bucket bucket0

# upload a file, specifying encryption key
# aws --endpoint-url http://10.0.0.80:6007 --no-verify-ssl s3 cp /etc/magic "s3://bucket0/magic" --sse-c AES256 --sse-c-key "azZmUHdpVVFGeWcxZXJ3YkVXc3BHdFVp"

# download the previously uploaded file
# aws --endpoint-url http://10.0.0.80:6007 --no-verify-ssl s3 cp s3://bucket0/magic /tmp/magic --sse-c AES256 --sse-c-key "azZmUHdpVVFGeWcxZXJ3YkVXc3BHdFVp"