Swift Object Encryption Janie Richling IBM Alistair Coles Hewlett Packard Enterprise
Taking a look upstream… Image: https://pixabay.com/en/sailor-spyglass-man-ship-lookout-40090/
It’s a community effort Contributions from: Sam Merritt (SwiftStack) Mahati Chamarthy (Intel) Hamdi Roumani (IBM) Thiago Da Silva (Red Hat) Peter Chng (IBM) Jonathan Hinson (IBM) Tim Burke (SwiftStack) Christian Cachin (IBM) Janie Richling (IBM) Alistair Coles (HPE) Image: Rusty Weise
Swift is an object store REST API via HTTP protocol accounts containers objects img_1 tenant_1 images Create ( PUT, COPY) img_2 Read ( GET, HEAD) REST API 001 Update ( POST) pictures 002 Delete ( DELETE) tenant_2 video abc
Swift is an object store REST API via HTTP protocol accounts containers objects img_1 curl http://swift:8080/v1/tenant_1/images/004 -X PUT tenant_1 images img_2 REST API 001 pictures 002 tenant_2 video abc curl http://swift:8080/v1/tenant_2/video/abc -X GET
Swift is scalable Load is distributed using modified consistent hashing Storage nodes Proxy servers curl http://swift:8080/v1/tenant_1/images/004 -X PUT curl http://swift:8080/v1/tenant_2/video/abc -X GET
Swift is scalable Load is distributed using modified consistent hashing Storage nodes Proxy servers curl http://swift:8080/v1/tenant_1/images/004 -X PUT curl http://swift:8080/v1/tenant_2/video/abc -X GET
Swift is durable Data is protected using erasure coding or replication Storage nodes Proxy servers curl http://swift:8080/v1/tenant_1/images/004 -X PUT curl http://swift:8080/v1/tenant_2/video/abc -X GET
Swift is durable Data is protected using erasure coding or replication Storage nodes Proxy servers curl http://swift:8080/v1/tenant_1/images/004 -X PUT curl http://swift:8080/v1/tenant_2/video/abc -X GET
Swift is not insecure Access is controlled e.g. using Keystone identity service and RBAC Only proxy nodes have externally facing network interfaces Storage nodes Proxy servers Image: https://pixabay.com/en/shield-fence-wire-mesh-fence-note-511714/
But what about this guy?
Hardware encryption Self encrypting drives/disk controllers + performance - hardware upgrade + metadata is encrypted as well as data - no support for user provided keys Storage nodes Proxy servers Image: https://pixabay.com/en/hard-drive-hdd-disk-data-store-503960/
Virtual block device encryption + software solution - no support for user provided keys + metadata is encrypted as well as data - repeated encryption of object replicas - data must move to new virtual disks Storage nodes Proxy servers dm-crypt
Swift encryption middleware + allows integration with Baribcan - only user data is encrypted + allows user provided keys (BYOK) - existing data needs migrating to be encrypted + upgrade without impacting existing data + internal data in flight is encrypted Storage nodes Proxy servers Image: https://pixabay.com/en/under-construction-construction-area-150271/
Swift encryption middleware decrypter keymaster encrypter last middleware First middleware
Service managed keys Root Secret Request with Keys are never cached or credentials persisted decrypter keymaster encrypter last middleware First middleware
Key Derivation account1 Key derivation alg hmac(Secret, 'account1/containerA') = containerB containerA hmac(Secret, object2 object3 object1 'account1/containerA/object1') =
BYOK: push model Request with Keys are never cached or credentials persisted decrypter keymaster encrypter last middleware First middleware
BYOK: pull model Key Server/ Barbican Request with credentials decrypter keymaster encrypter last middleware First middleware
What gets encrypted Key Pre-encrypt Values Key Post-encrypt Values Etag 4b7550f00f2e80408b8bb2d6dc7f705f Etag LQIpWr6BPR1RUDxmnWrQX1JemA3J egzPI9yd9QmkBOo= Content- text/plain Content- text/plain type type Content- 28 Content- 28 length length X-Object- Bank account password X-Object- VEVYRwZYXVVC9QTEFJTg== Meta-Tag Meta-Tag Body correct horse battery staple Body *?/uew(liet#\4*!@j[>.6-f!y$\
Method of encryption - AES 256-bit keys - CTR Mode - cryptography python library
Method of encryption
Demo Image: https://pixabay.com/en/crossed-fingers-cross-fingers-363478/
What's so hard? • Etag • Conditional and ranged GETs • Container listing • Maximum length increase from Encoding encrypted headers • Future challenges • Content-type • Container tempURL metadata • Client keys: • Container-sync • ACLs • TempURLs • public containers
Status • https://github.com/openstack/swift/tree/feature/crypto • Goal for Newton Release
Team work Contributions from: Sam Merritt (SwiftStack) Mahati Chamarthy (Intel) Hamdi Roumani (IBM) Thiago Da Silva (Red Hat) Peter Chng (IBM) Jonathan Hinson (IBM) Tim Burke (SwiftStack) Christian Cachin (IBM) Janie Richling (IBM) Alistair Coles (HPE)
Spec: http://specs.openstack.org/openstack/swift-specs/specs/in_progress/at_rest_encryption.html Code: https://github.com/openstack/swift/tree/feature/crypto
Recommend
More recommend