diff options
| author | Guillaume Abrioux <gabrioux@ibm.com> | 2024-05-16 17:47:19 +0200 |
|---|---|---|
| committer | Guillaume Abrioux <gabrioux@ibm.com> | 2024-08-12 10:43:59 +0200 |
| commit | 88836135fd03d28131c58a7440f51de244076166 (patch) | |
| tree | f884546c60503f5af2fbcd5ad5b8202f2b6d67b5 /doc/cephadm | |
| parent | Merge pull request #59098 from athanatos/sjust/wip-67415-alienstore-mkfs-crash (diff) | |
| download | ceph-88836135fd03d28131c58a7440f51de244076166.tar.xz ceph-88836135fd03d28131c58a7440f51de244076166.zip | |
ceph-volume: add TPM2 token enrollment support for encrypted OSDs
This adds the required changes to ceph-volume and cephadm in order to support
deploying tpm2 token enrolled encrypted OSDs.
Adding `--with-tpm` when deploying with `--dmcrypt` will enroll a tpm2
token to the corresponding LUKS2 devices.
Example of a osd service spec:
```
service_type: osd
service_id: tpm2_osds
placement:
host_pattern: '*'
spec:
data_devices:
paths:
- /dev/sdb
encrypted: true
tpm2: true
```
Signed-off-by: Guillaume Abrioux <gabrioux@ibm.com>
Diffstat (limited to 'doc/cephadm')
| -rw-r--r-- | doc/cephadm/services/osd.rst | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/doc/cephadm/services/osd.rst b/doc/cephadm/services/osd.rst index 5ad39de8569..3ed091a06a5 100644 --- a/doc/cephadm/services/osd.rst +++ b/doc/cephadm/services/osd.rst @@ -666,6 +666,21 @@ This example would deploy all OSDs with encryption enabled. all: true encrypted: true +Ceph Squid onwards support tpm2 token enrollment to LUKS2 devices. +You can add the `tpm2` to your OSD spec: + +.. code-block:: yaml + + service_type: osd + service_id: example_osd_spec_with_tpm2 + placement: + host_pattern: '*' + spec: + data_devices: + all: true + encrypted: true + tpm2: true + See a full list in the DriveGroupSpecs .. py:currentmodule:: ceph.deployment.drive_group |