Uploading an object using AWS and the Vault
When uploading an object to the Ceph Object Gateway, the Ceph Object Gateway fetches the key from the Vault, and then encrypts and stores the object in a bucket. When a request is made to download the object, the Ceph Object Gateway automatically retrieves the corresponding key from the Vault and decrypts the object. To upload an object, the Ceph Object Gateway fetches the key from the Vault and then encrypts the object and stores it in the bucket. The Ceph Object Gateway retrieves the corresponding key from the Vault and decrypts the object when there is a request to download the object.
rgw_crypt_vault_addr option, and the path prefix, set by the
rgw_crypt_vault_prefix option.Prerequisites
-
A running IBM Storage Ceph cluster.
-
Installation of the Ceph Object Gateway software.
-
Installation of the HashiCorp Vault software.
-
Access to a Ceph Object Gateway client node.
-
Access to Amazon Web Services (AWS).
Procedure
-
Upload an object using the AWS command line client and provide the Secure Side Encryption(SSE) key ID in the request:
-
For the Key/Value secret engine:
Example
[user@client ~]$ aws --endpoint=http://radosgw:8000 s3 cp plaintext.txt s3://mybucket/encrypted.txt --sse=aws:kms --sse-kms-key-id myproject/mybucketkeyNote: In the example, the Ceph Object Gateway would fetch the secret fromhttp://vault-server:8200/v1/secret/data/myproject/mybucketkey -
For the Transit engine:
Example
[user@client ~]$ aws --endpoint=http://radosgw:8000 s3 cp plaintext.txt s3://mybucket/encrypted.txt --sse=aws:kms --sse-kms-key-id mybucketkey
-
http://vaultserver:8200/v1/transit/mybucketkey