Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Alex Chalkias
on 2 July 2020


Do you have a big data center? Do you have terabytes of confidential data stored in that data center? Are you worried that your data might be exposed to malicious attacks? One of the most prominent security features of storage solutions is encryption at rest. This blog will explain this in more detail and how it is implemented in Charmed Ceph, Canonical’s software-defined storage solution.

What is data at rest?

Before we dive into encryption, we need to define what data at rest is. There are three states for digital data: data in use, data in transit and data at rest. Data in use refers to active data stored in non-persistent volumes, typically RAM or CPU caches. Data in transit is the state where data is transferred over a network, either private or public. Data at rest means inactive data that is stored physically on persistent storage, i.e. disks, databases, data warehouses, mobile devices, archives, etc. When at rest, data can be subject to malicious threats such as data theft or data corruption by obtaining physical access to the storage hardware. There are multiple security measures to protect data at rest, starting from password protection, federation and data encryption.

What is data encryption at rest?

Encryption at rest is the encoding of data when it is persisted. It is designed to prevent the attacker from accessing unencrypted data by ensuring all raw data is encrypted when stored on a persistent device. 

Encryption at rest addresses a multitude of potential threats. Starting from the lowest threat level like the theft of an HDD device, server loss, up to extremes such as the compromise of an entire rack of servers or the entire data center, businesses will have peace of mind as long as the stolen data was encrypted. The attacker could still get physical access to the storage, but without the encryption keys, it is significantly more complex and resource-consuming to read the encrypted data.

Nowadays, most businesses are interested in data security, especially after the introduction of GDPR. Some also need to comply with industry and government regulations such as HIPAA, PCI-DSS and FedRAMP. Encryption at rest is a prerequisite for some of those regulations and Canonical’s security certification program can help your business stay compliant.

How does encryption at rest work?

Encryption of data on block storage in a Linux environment is quite straightforward. The Ubuntu kernel supports the dm-crypt and LUKS utilities, for transparent disk encryption and on-disk encryption key management respectively. However, encryption at rest also requires a key management solution (KMS) to ensure the security of the encryption keys and proper role-based access control (RBAC) definitions. 

Ceph encryption at rest

Charmed Ceph supports encryption at rest out-of-the-box both as part of an OpenStack private cloud deployment and as a standalone storage solution. Charmed Ceph is based on a model-driven approach. All Ceph components are wrapped in charms, that is, code that drives lifecycle management automation.

Charmed Ceph uses Vault and Vaultlocker for data encryption at rest to protect against all possible types of physical device loss

For Ceph encryption at rest, the selected KMS is Hashicorp Vault. Vault is a widely used Encryption-as-a-Service solution that supports centralised key management and key rotation to ensure cryptographic best practices. When booting up, Vault needs to be unsealed in order for services to connect to it and read their encryption keys. Unsealing Vault requires a Master encryption key that needs a number of unseal keys to be unlocked. After initialising Vault, the data center operations team needs to provide a token retrieved from Vault to establish a connection between the Ceph charms and Vault.

Charmed Ceph uses Vaultlocker as an integration component between dm-crypt and Vault. Vaultlocker ensures the encryption keys are only ever held in memory locally and stored persistently in Vault, only to be read from Vault into memory during any subsequent operation, such as unlocking or encryption of a block device.

RBAC is implemented through the Vault charm. The charms use Vault AppRoles to handle communication between Vault and the Ceph cluster. Every storage server of the Ceph cluster has a specific AppRole (consisting of a role ID and secret) which can only be used from a specific IP address.

If all of the above sounds fairly complicated, it is mostly because Canonical ensures that the attack surface for Charmed Ceph is the smallest possible. Using Vault and Vaultlocker, Charmed Ceph has a solid approach to data encryption at rest to protect against all possible types of physical device loss in your data center.


Learn more about Charmed Ceph or contact us about your data center storage needs.

Read our Charm Deployment Guide sections on using Vault and encryption-at-rest.

Related posts


Lech Sandecki
23 October 2024

6 facts for CentOS users who are holding on

Cloud and server Article

Considering migrating to Ubuntu from other Linux platforms, such as CentOS? Find six useful facts to get started! ...


Kris Sharma
17 October 2024

Why is Ubuntu Linux the leading choice to replace CentOS for financial services?

Financial Services Article

Financial services are powered by technology. The customer experience is increasingly driven by data, with tailoring of products and services to reflect individual behaviors and preferences. All of this rests on a foundation of secure, stable technology that can support agility and flexibility to adapt to customer needs, whilst at the sam ...


Philip Williams
16 August 2024

Managed storage with Ceph

Ceph Article

Treat your open source storage infrastructure as a service What if storage was like coffee: menu driven and truly service oriented? Everyone knows how quick and easy it is to order a cappuccino or cortado and have a friendly barista bring it to you in just minutes. Now imagine this is a user who needs ...