mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-29 01:16:12 -05:00
docs: verify Ceph encryption
This commit is contained in:
parent
4f710528bc
commit
7a8ca1e574
24
.github/docs/nfs.md
vendored
24
.github/docs/nfs.md
vendored
@ -12,6 +12,8 @@ constellation create --name nfs -c 1 -w 3
|
||||
|
||||
## Deploy CSI Driver
|
||||
|
||||
> **_NOTE:_** For additional integrity protection, use our [Constellation CSI drivers](https://docs.edgeless.systems/constellation/workflows/storage) with integrity protection enabled. With this option there is no need to enable encryption on Cephs side in the step [Deploy Rook](#deploy-rook).
|
||||
|
||||
We need block storage form somewhere. We will use the official Azure CSI for that. We need to create the azure config secret again with the expected fields. Replace "XXX" with the corresponding value from the secret `azureconfig`.
|
||||
|
||||
```bash
|
||||
@ -229,3 +231,25 @@ spec:
|
||||
matchLabels:
|
||||
app: nginx
|
||||
```
|
||||
|
||||
## Verify Ceph OSD encryption
|
||||
|
||||
To verify that Ceph created an encrypted device, [log into a node](https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#ephemeral-container) via `kubectl debug`.
|
||||
|
||||
```bash
|
||||
$ ls /dev/mapper/
|
||||
control root set1-data-1flnzz-block-dmcrypt state state_dif
|
||||
|
||||
$ cryptsetup status /dev/mapper/set1-data-1flnzz-block-dmcrypt
|
||||
/dev/mapper/set1-data-1flnzz-block-dmcrypt is active and is in use.
|
||||
type: LUKS2
|
||||
cipher: aes-xts-plain64
|
||||
keysize: 512 bits
|
||||
key location: dm-crypt
|
||||
device: /dev/sdc
|
||||
sector size: 512
|
||||
offset: 32768 sectors
|
||||
size: 20938752 sectors
|
||||
mode: read/write
|
||||
flags: discards
|
||||
```
|
||||
|
Loading…
Reference in New Issue
Block a user