Using HashiCorp Vault

Edit online

As a storage administrator, you can securely store keys, passwords, and certificates in the HashiCorp Vault for use with the Ceph Object Gateway. The HashiCorp Vault provides a secure key management service for server-side encryption used by the Ceph Object Gateway.

Figure 1. Ceph Vault integration
Ceph Vault Integration

The basic workflow:

  1. The client requests the creation of a secret key from the Vault based on an object's key ID.

  2. The client uploads an object with the object's key ID to the Ceph Object Gateway.

  3. The Ceph Object Gateway then requests the newly created secret key from the Vault.

  4. The Vault replies to the request by returning the secret key to the Ceph Object Gateway.

  5. Now the Ceph Object Gateway can encrypt the object using the new secret key.

  6. After encryption is done the object is then stored on the Ceph OSD.

Important: BM works with our technology partners to provide this documentation as a service to our customers. However, IBM does not provide support for this product. If you need technical assistance for this product, then contact Hashicorp for support.

Prerequisites

Edit online

  • A running IBM Storage Ceph cluster.

  • Installation of the Ceph Object Gateway software.

  • Installation of the HashiCorp Vault software.