TWiki>
CF Web>InternalProjects>SecureWeb-basedFile-sharingSystem-backingStorage>DistributedFileSystem (2016-11-03, LoriPaniak)
EditAttach
CF Web>InternalProjects>SecureWeb-basedFile-sharingSystem-backingStorage>DistributedFileSystem (2016-11-03, LoriPaniak) EditAttachCSCF Distributed File System (DFS) Notes
Table of Contents
Data Encryption Options
The layered architecture of the DFS presents a number of options for ensuring the requirement that all data is encrypted at rest. For the following, the lowest data layer in the design is the physical media (eg. DFS hard drives). Encryption at a layer ensures data on all lower layers is encrypted as well.
| Encryption at layer | Encryption method | Advantages | Disadvantages | Comments | |||
| ZFS native encryption | ZFS native | All data on backing storage is encrypted. Performance. Applications do not need to implement encryption for storage. Best integration with ZFS snapshots. Consistent with distributed filesystem. |
Not yet available for OpenZFS. Service data unencrypted until ZFS layer. |
ZFSonLinux feature request  tracking encryption. May be ready in 2018. |
|||
| Encrypt each DFS drive independently, build ZFS on top. |
LUKS | All data on backing storage is encrypted. Consistent with distributed filesystem. |
No distro/ZFS supported method to implement. Adds layer between ZFS and media with possible data inconsistency. |
ad hoc and prone to breakage? Supported encryption option for Ceph OSD |
|||
| Encrypt ZFS filesystems and build DFS on top. | eCryptfs |
All data on backing storage is encrypted. Applications do not need to implement encryption for storage. Consistent with distributed filesystem. |
ZFS snapshots are encrypted/backend recovery difficult. Slight performance cost. Some effort required to encrypt File/Directory names. |
Best compromise? See here . |
|||
| Distributed file system encryption | Internal | Best consistency with DFS. Applications do not need to implement encryption for storage. |
gluster: no filename encryption, no performance settings. Encryption at volume level (global). ZFS snapshots are encrypted/backend recovery difficult. Ceph? |
gluster |
|||
| Service level encryption: block | LUKS | Best option for data security: data encrypted in/out of service system. Can choose encryption options per service. |
No distributed option. Only iSCSI multipath. ZFS snapshots are of entire block device. |
||||
| Service level encryption: overlay | encFS | Best option for secure, distributed file system. Can choose encryption options per service. |
Independent encryption overly on each service system can lead to file system inconsistency, loss. EncFS has known security issues . |
EncFS security issues being worked on but currently at git level. May be production-ready in 2017. |
|||
| Service level encryption: service | Internal | Best integration with service. | No filename encryption (OwnCloud). HA option? Poor integration with ZFS snapshots. |
Service dependent. Not all services provide encryption. |
|||
| Client-side encryption | Internal | Most private configuration: user encrypts and holds keys | Poor integration with ZFS snapshots Not possible to recover data if user loses key |
Service dependent | |||
-- LoriPaniak - 2016-06-14
Topic revision: r3 - 2016-11-03 - LoriPaniak
Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.
- CF Web
- CF Web Home
- Changes
- Index
- Search
- Administration
- Communication
- Hardware
- HelpDeskGuide
- Infrastructure
- InternalProjects
- Linux
- MachineNotes
- Macintosh
- Management
- Networking
- Printing
- Research
- Security
- Software
- Solaris
- StaffStuff
- TaskGroups
- TermGoals
- Teaching
- UserSupport
- Vendors
- Windows
- XHier
- Other Webs
- My links
 |
|
Copyright © 2008-2025 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback