Enabling encryption at rest as a post deployment operation - OpenShift Data Foundation 4.19 Developer Preview

Updated

Starting with OpenShift Data Foundation 4.19, you can enable cluster-wide encryption to protect data of your existing cluster.

Prerequisites

  • Ensure that you have deployed OpenShift Data Foundation 4.19.
  • Ensure that the Ceph cluster is healthy and placement groups (PGs) are active and clean.

Procedure

  1. Edit StorageCluster YAML to enable cluster-wide encryption and set spec.encryption.clusterWide: true
    This StorageCluster change updates the Ceph cluster by setting the following:

    • spec.storage.migration.confirmation: yes-really-migrate-osds
    • spec.storage.storageClassDeviceSets[0].encryption: true (for each of the storageClassDeviceSets)
      Migration of the OSDs is triggered after the Ceph cluster is updated.

  2. Each OSD is migrated one at a time. Migration involves the following steps:
    a. Delete the OSD deployment.
    b. Destroy the OSD. 

    ceph osd destroy {id} --yes-i-really-mean-it

    c. Prepare the OSD with the same ID.
    d. Wait for the data to rebalance before starting the next migration.

  3. The migration of the next OSD starts only when the previous migration has completed and data has rebalanced ( that is, PGs are active+clean).
    Encryption is enabled for the migrated OSDs.

  4. Verify that encryption is enabled by confirming the entries in the /dev/mapper/* for each of the OSD.

Article Type