ceph-csi-rbd support for integration with transit engine in vault

[nics90]

Describe the feature you'd like to have

What new functionality do you want?

Currently, ceph csi rbd support integration with vault/openbao key-value engine, but the integration with transit engine is also required.

What is the value to the end user? (why is it a priority?)

Openbao/Vault Key-Value engine supports creation of DEK in vault by the CSI driver but the keys cannot be rotated at all. Hence bringing Transit Engine will ease the process of key rotation which is required to be used in production use cases.

How would the end user gain value from having this feature?

Will provide more secure, standard and compliant way to integrate with vault KMS.

How will we know we have a good solution? (acceptance criteria)

Add a list of criteria that should be met for this feature to be useful

Providing integration with all the possible workflows of transit engine that vault/openbao provides.

Additional context

Add any other context or screenshots about the feature request here.

[Madhu-1]

@nixpanic @Rakshith-R PTAL, if this is valid please add help wanted so that we can get help from community to have this feature.

[Madhu-1]

@nics90 if the key rotation is the main goal we already have support for key rotation in ceph-csi

[nics90]

@Madhu-1 : I need help to check and validate the key rotation in ceph csi. I am trying it with open bao. Also, does the rotation of DEK automatically happens when key is rotated, how is the whole flow I could not find much documentation on this.

[Madhu-1]

@Madhu-1 : I need help to check and validate the key rotation in ceph csi. I am trying it with open bao. Also, does the rotation of DEK automatically happens when key is rotated, how is the whole flow I could not find much documentation on this.

we dont support DEK rotation yet, https://github.com/ceph/ceph-csi/tree/devel/docs/design/proposals contains some design docs for supported Key rotation

[nics90]

Even for KEK rotation could not find any documentation around it. Could anyone help me to find answers to few questions:

1. Where exactly KEK is getting stored, is it possible to view it ?
2. Is there a single KEK per ceph cluster or there is an option to create/view/manage multiple KEK's per tenant per volume ?
3. We understand there's an option to create vault token for each tenant but that is just being used by ceph csi to authenticate, hence rotating/changing token here does not actually mean rotating KEK, then how ceph csi is supporting rotation of KEK ?

[Madhu-1]

Even for KEK rotation could not find any documentation around it. Could anyone help me to find answers to few questions:

1. Where exactly KEK is getting stored, is it possible to view it ?

It will be stored in the vault in this case.

2. Is there a single KEK per ceph cluster or there is an option to create/view/manage multiple KEK's per tenant per volume ?

The KEK is generated by cephCSI and its per PVC

3. We understand there's an option to create vault token for each tenant but that is just being used by ceph csi to authenticate, hence rotating/changing token here does not actually mean rotating KEK, then how ceph csi is supporting rotation of KEK ?

https://github.com/ceph/ceph-csi/blob/devel/docs/design/proposals/rbd-pv-key-rotation.md contains the design detains on how its done

[nics90]

Could you please help in getting answer of below queries:
a. How exactly we can fetch the KEK from the vault, since we are able to see DEK corresponding to each PVC but not KEK.
b. What is the API that we can trigger to start rotation of the KEK ? We need this to integrate the rotation key feature itself.

[black-dragon74]

How exactly we can fetch the KEK from the vault, since we are able to see DEK corresponding to each PVC but not KEK.

We only support key rotation for encrypted RBD volumes using LUKS. By (LUKS) design it is not possible to view either the KEK or the DEK. The key you see in KMS is the passphrase that is used to derive the KEK which in-turn decrypted the DEK which unlocks the volume.

What is the API that we can trigger to start rotation of the KEK ? We need this to integrate the rotation key feature itself.

Key rotation is triggered upon receiving gRPC request EncryptionKeyRotate. This request is made by the csi-addons sidecar upon creation of an EncryptionKeyRotationJob. Here are some resources that might be of help:

• Incoming gRPC request from csi-addons to ceph-csi, here.
• Actual process to rotate the passphrase (you may loosely call it KEK), here
• How to implement key rotation, here.