-
|
Hello, When building a Ceph Cluster, if “encryptedDevice” is set to true in the cluster.yaml, I understand that an encryption key is generated automatically. My question is, do I have the ability to change or customize my encryption key/passphrase? Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
No, if the encryption key changes, the data that has been encrypted with that key will be lost. For key rotation, you will want to use an external KMS (Vault is currently supported). This is a new feature in v1.5, let us know how it works for you! |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for your quick response! One follow up question - if I were to build a Ceph Cluster without using Rook, would it be possible to customize the encryption key then? I’m just wondering if it’s possible at all with Ceph to create a custom encryption key rather than being limited to the one it generates itself. Thanks for your help! |
Beta Was this translation helpful? Give feedback.
-
|
Even if you use the straight provisioning with ceph-volume, you won't be able to select your own passphrase. |
Beta Was this translation helpful? Give feedback.
No, if the encryption key changes, the data that has been encrypted with that key will be lost. For key rotation, you will want to use an external KMS (Vault is currently supported). This is a new feature in v1.5, let us know how it works for you!