docs: verify Ceph encryption

This commit is contained in:
Leonard Cohnen 2022-11-09 13:45:14 +01:00 committed by 3u13r
parent 4f710528bc
commit 7a8ca1e574

24
.github/docs/nfs.md vendored
View File

@ -12,6 +12,8 @@ constellation create --name nfs -c 1 -w 3
## Deploy CSI Driver
> **_NOTE:_** For additional integrity protection, use our [Constellation CSI drivers](https://docs.edgeless.systems/constellation/workflows/storage) with integrity protection enabled. With this option there is no need to enable encryption on Cephs side in the step [Deploy Rook](#deploy-rook).
We need block storage form somewhere. We will use the official Azure CSI for that. We need to create the azure config secret again with the expected fields. Replace "XXX" with the corresponding value from the secret `azureconfig`.
```bash
@ -229,3 +231,25 @@ spec:
matchLabels:
app: nginx
```
## Verify Ceph OSD encryption
To verify that Ceph created an encrypted device, [log into a node](https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#ephemeral-container) via `kubectl debug`.
```bash
$ ls /dev/mapper/
control root set1-data-1flnzz-block-dmcrypt state state_dif
$ cryptsetup status /dev/mapper/set1-data-1flnzz-block-dmcrypt
/dev/mapper/set1-data-1flnzz-block-dmcrypt is active and is in use.
type: LUKS2
cipher: aes-xts-plain64
keysize: 512 bits
key location: dm-crypt
device: /dev/sdc
sector size: 512
offset: 32768 sectors
size: 20938752 sectors
mode: read/write
flags: discards
```