"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "doc/source/overview_encryption.rst" between
swift-2.19.1.tar.gz and swift-2.21.0.tar.gz

About: OpenStack swift is software for creating redundant, scalable object storage using clusters of commodity servers to store terabytes or even petabytes of accessible data (now supporting storage policies).
The "Stein" series (latest release).

overview_encryption.rst  (swift-2.19.1):overview_encryption.rst  (swift-2.21.0)
skipping to change at line 164 skipping to change at line 164
<https://docs.openstack.org/barbican>`_ rather than storing root secrets in <https://docs.openstack.org/barbican>`_ rather than storing root secrets in
configuration files. configuration files.
Once deployed, the encryption filter will by default encrypt object data and Once deployed, the encryption filter will by default encrypt object data and
metadata when handling PUT and POST requests and decrypt object data and metadata when handling PUT and POST requests and decrypt object data and
metadata when handling GET and HEAD requests. COPY requests are transformed metadata when handling GET and HEAD requests. COPY requests are transformed
into GET and PUT requests by the :ref:`copy` middleware before reaching the into GET and PUT requests by the :ref:`copy` middleware before reaching the
encryption middleware and as a result object data and metadata is decrypted and encryption middleware and as a result object data and metadata is decrypted and
re-encrypted when copied. re-encrypted when copied.
.. _changing_the_root_secret:
Changing the encryption root secret Changing the encryption root secret
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
From time to time it may be desirable to change the root secret that is used to From time to time it may be desirable to change the root secret that is used to
derive encryption keys for new data written to the cluster. The `keymaster` derive encryption keys for new data written to the cluster. The `keymaster`
middleware allows alternative root secrets to be specified in its configuration middleware allows alternative root secrets to be specified in its configuration
using options of the form:: using options of the form::
encryption_root_secret_<secret_id> = <secret value> encryption_root_secret_<secret_id> = <secret value>
skipping to change at line 214 skipping to change at line 216
[keymaster] [keymaster]
active_root_secret_id = 2 active_root_secret_id = 2
encryption_root_secret = your_secret encryption_root_secret = your_secret
encryption_root_secret_1 = your_secret_1 encryption_root_secret_1 = your_secret_1
encryption_root_secret_2 = your_secret_2 encryption_root_secret_2 = your_secret_2
.. note:: .. note::
To ensure there is no loss of data availability, deploying a new key to To ensure there is no loss of data availability, deploying a new key to
your cluster requires a two-stage config change. First, add the new key your cluster requires a two-stage config change. First, add the new key
to the ``key_id_<secret_id>`` option and restart the proxy-server. Do this to the ``encryption_root_secret_<secret_id>`` option and restart the
for all proxies. Next, set the ``active_root_secret_id`` option to the proxy-server. Do this for all proxies. Next, set the
new secret id and restart the proxy. Again, do this for all proxies. This ``active_root_secret_id`` option to the new secret id and restart the
process ensures that all proxies will have the new key available for proxy. Again, do this for all proxies. This process ensures that all
*decryption* before any proxy uses it for *encryption*. proxies will have the new key available for *decryption* before any proxy
uses it for *encryption*.
Encryption middleware Encryption middleware
--------------------- ---------------------
Once deployed, the encryption filter will by default encrypt object data and Once deployed, the encryption filter will by default encrypt object data and
metadata when handling PUT and POST requests and decrypt object data and metadata when handling PUT and POST requests and decrypt object data and
metadata when handling GET and HEAD requests. COPY requests are transformed metadata when handling GET and HEAD requests. COPY requests are transformed
into GET and PUT requests by the :ref:`copy` middleware before reaching the into GET and PUT requests by the :ref:`copy` middleware before reaching the
encryption middleware and as a result object data and metadata is decrypted and encryption middleware and as a result object data and metadata is decrypted and
re-encrypted when copied. re-encrypted when copied.
skipping to change at line 431 skipping to change at line 434
[kmip_keymaster] [kmip_keymaster]
key_id = 1234567890 key_id = 1234567890
host = 127.0.0.1 host = 127.0.0.1
port = 5696 port = 5696
certfile = /etc/swift/kmip_client.crt certfile = /etc/swift/kmip_client.crt
keyfile = /etc/swift/kmip_client.key keyfile = /etc/swift/kmip_client.key
ca_certs = /etc/swift/kmip_server.crt ca_certs = /etc/swift/kmip_server.crt
username = swift username = swift
password = swift_password password = swift_password
Changing the encryption root secret of external KMS's
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Because the KMS and KMIP keymaster's derive from the default KeyMaster they
also have to ability to define multiple keys. The only difference is the key
option names. Instead of using the form `encryption_root_secret_<secret_id>`
both external KMS's use `key_id_<secret_id>`, as it is an extension of their
existing configuration. For example::
...
key_id = 1234567890
key_id_foo = 0987654321
key_id_bar = 5432106789
active_root_secret_id = foo
...
Other then that, the process is the same as :ref:`changing_the_root_secret`.
Upgrade Considerations Upgrade Considerations
---------------------- ----------------------
When upgrading an existing cluster to deploy encryption, the following sequence When upgrading an existing cluster to deploy encryption, the following sequence
of steps is recommended: of steps is recommended:
#. Upgrade all object servers #. Upgrade all object servers
#. Upgrade all proxy servers #. Upgrade all proxy servers
#. Add keymaster and encryption middlewares to every proxy server's middleware #. Add keymaster and encryption middlewares to every proxy server's middleware
pipeline with the encryption ``disable_encryption`` option set to ``True`` pipeline with the encryption ``disable_encryption`` option set to ``True``
 End of changes. 3 change blocks. 
5 lines changed or deleted 26 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)