Applying encryption in-transit on Red Hat Ceph storage cluster

Learn how to apply encryption in-transit on Red Hat Ceph storage cluster.

1. Apply Encryption in-transit settings.

   root@ceph-client ~]# ceph config set global ms_client_mode secure
   [root@ceph-client ~]# ceph config set global ms_cluster_mode secure
   [root@ceph-client ~]# ceph config set global ms_service_mode secure
   [root@ceph-client ~]# ceph config set global rbd_default_map_options ms_mode=secure

2. Check the settings.

   [root@ceph-client ~]# ceph config dump | grep ms_
   ceph config dump | grep ms_
   global   basic      ms_client_mode secure                    *
   global   basic      ms_cluster_mode secure                   *
   global   basic      ms_service_mode secure                   *
   global   advanced   rbd_default_map_options ms_mode=secure   *

3. Restart all Ceph daemons.

   [root@ceph-client ~]# ceph orch ls --format plain | tail -n +2 | awk '{print $1}' | xargs -I {} ceph orch restart {}
   Scheduled to restart alertmanager.osd-0 on host 'osd-0'
   Scheduled to restart ceph-exporter.osd-0 on host 'osd-0'
   Scheduled to restart ceph-exporter.osd-2 on host 'osd-2'
   Scheduled to restart ceph-exporter.osd-3 on host 'osd-3'
   Scheduled to restart ceph-exporter.osd-1 on host 'osd-1'
   Scheduled to restart crash.osd-0 on host 'osd-0'
   Scheduled to restart crash.osd-2 on host 'osd-2'
   Scheduled to restart crash.osd-3 on host 'osd-3'
   Scheduled to restart crash.osd-1 on host 'osd-1'
   Scheduled to restart grafana.osd-0 on host 'osd-0'
   Scheduled to restart mds.fsvol001.osd-0.lpciqk on host 'osd-0'
   Scheduled to restart mds.fsvol001.osd-2.wocnxz on host 'osd-2'
   Scheduled to restart mgr.osd-0.dtkyni on host 'osd-0'
   Scheduled to restart mgr.osd-2.kqcxwu on host 'osd-2'
   Scheduled to restart mon.osd-2 on host 'osd-2'
   Scheduled to restart mon.osd-3 on host 'osd-3'
   Scheduled to restart mon.osd-1 on host 'osd-1'
   Scheduled to restart node-exporter.osd-0 on host 'osd-0'
   Scheduled to restart node-exporter.osd-2 on host 'osd-2'
   Scheduled to restart node-exporter.osd-3 on host 'osd-3'
   Scheduled to restart node-exporter.osd-1 on host 'osd-1'
   Scheduled to restart osd.1 on host 'osd-0'
   Scheduled to restart osd.4 on host 'osd-0'
   Scheduled to restart osd.0 on host 'osd-2'
   Scheduled to restart osd.5 on host 'osd-2'
   Scheduled to restart osd.2 on host 'osd-3'
   Scheduled to restart osd.6 on host 'osd-3'
   Scheduled to restart osd.3 on host 'osd-1'
   Scheduled to restart osd.7 on host 'osd-1'
   Scheduled to restart prometheus.osd-0 on host 'osd-0'
   Scheduled to restart rgw.rgw.ssl.osd-1.smzpfj on host 'osd-1'

   Wait for the restarting of all the daemons.