Swift Object Encryption Janie Richling IBM Alistair Coles Hewlett - - PowerPoint PPT Presentation

swift object encryption
SMART_READER_LITE
LIVE PREVIEW

Swift Object Encryption Janie Richling IBM Alistair Coles Hewlett - - PowerPoint PPT Presentation

Dec 31, 2022 268 likes •555 views

Swift Object Encryption Janie Richling IBM Alistair Coles Hewlett Packard Enterprise Taking a look upstream Image: https://pixabay.com/en/sailor-spyglass-man-ship-lookout-40090/ Its a community effort Contributions from: Sam Merritt

slide-1
SLIDE 1

Swift Object Encryption

Janie Richling

IBM

Alistair Coles

Hewlett Packard Enterprise

slide-2
SLIDE 2

Taking a look upstream…

Image: https://pixabay.com/en/sailor-spyglass-man-ship-lookout-40090/
slide-3
SLIDE 3 Image: Rusty Weise

It’s a community effort

Contributions from:

Sam Merritt (SwiftStack) Mahati Chamarthy (Intel) Hamdi Roumani (IBM) Thiago Da Silva (Red Hat) Peter Chng (IBM) Jonathan Hinson (IBM) Tim Burke (SwiftStack) Christian Cachin (IBM) Janie Richling (IBM) Alistair Coles (HPE)

slide-4
SLIDE 4

Swift is an object store

Create (PUT, COPY) Read (GET, HEAD) Update (POST) Delete (DELETE)

REST API via HTTP protocol

containers

  • bjects

accounts

REST API

tenant_1 images img_1 img_2 tenant_2 pictures video 001 002 abc

slide-5
SLIDE 5

containers

  • bjects

accounts

REST API

tenant_1 images img_1 img_2 tenant_2 pictures video 001 002 abc

Swift is an object store

curl http://swift:8080/v1/tenant_1/images/004 -X PUT curl http://swift:8080/v1/tenant_2/video/abc -X GET

REST API via HTTP protocol

slide-6
SLIDE 6

Swift is scalable

curl http://swift:8080/v1/tenant_1/images/004 -X PUT curl http://swift:8080/v1/tenant_2/video/abc -X GET

Load is distributed using modified consistent hashing

Proxy servers Storage nodes

slide-7
SLIDE 7

Swift is scalable

curl http://swift:8080/v1/tenant_1/images/004 -X PUT curl http://swift:8080/v1/tenant_2/video/abc -X GET

Load is distributed using modified consistent hashing

Proxy servers Storage nodes

slide-8
SLIDE 8

Swift is durable

curl http://swift:8080/v1/tenant_1/images/004 -X PUT curl http://swift:8080/v1/tenant_2/video/abc -X GET

Data is protected using erasure coding or replication

Proxy servers Storage nodes

slide-9
SLIDE 9

Swift is durable

curl http://swift:8080/v1/tenant_1/images/004 -X PUT curl http://swift:8080/v1/tenant_2/video/abc -X GET

Data is protected using erasure coding or replication

Proxy servers Storage nodes

slide-10
SLIDE 10

Swift is not insecure

Image: https://pixabay.com/en/shield-fence-wire-mesh-fence-note-511714/

Proxy servers Storage nodes

Access is controlled e.g. using Keystone identity service and RBAC Only proxy nodes have externally facing network interfaces

slide-11
SLIDE 11

But what about this guy?

slide-12
SLIDE 12

Hardware encryption

+ performance + metadata is encrypted as well as data

Image: https://pixabay.com/en/hard-drive-hdd-disk-data-store-503960/

Proxy servers Storage nodes

  • hardware upgrade
  • no support for user provided keys

Self encrypting drives/disk controllers

slide-13
SLIDE 13

Virtual block device encryption

+ software solution + metadata is encrypted as well as data

Proxy servers Storage nodes

  • no support for user provided keys
  • repeated encryption of object replicas
  • data must move to new virtual disks

dm-crypt

slide-14
SLIDE 14

Swift encryption middleware

+ allows integration with Baribcan + allows user provided keys (BYOK) + upgrade without impacting existing data + internal data in flight is encrypted

Proxy servers Storage nodes

  • only user data is encrypted
  • existing data needs migrating to be encrypted
Image: https://pixabay.com/en/under-construction-construction-area-150271/
slide-15
SLIDE 15

Swift encryption middleware

encrypter decrypter keymaster

First middleware last middleware

slide-16
SLIDE 16

Service managed keys

encrypter decrypter keymaster

First middleware last middleware

Keys are never cached or persisted

Request with credentials Root Secret

slide-17
SLIDE 17

Key Derivation

account1 containerA

  • bject1
  • bject2
  • bject3

containerB hmac(Secret, 'account1/containerA') = hmac(Secret, 'account1/containerA/object1') = Key derivation alg

slide-18
SLIDE 18

BYOK: push model

encrypter decrypter keymaster

First middleware last middleware

Keys are never cached or persisted

Request with credentials

slide-19
SLIDE 19

BYOK: pull model

Key Server/ Barbican

encrypter decrypter keymaster

First middleware last middleware

Request with credentials

slide-20
SLIDE 20

What gets encrypted

Key Pre-encrypt Values

Etag 4b7550f00f2e80408b8bb2d6dc7f705f Content- type text/plain Content- length 28 X-Object- Meta-Tag Bank account password Body correct horse battery staple

Key Post-encrypt Values

Etag LQIpWr6BPR1RUDxmnWrQX1JemA3J egzPI9yd9QmkBOo= Content- type text/plain Content- length 28 X-Object- Meta-Tag VEVYRwZYXVVC9QTEFJTg== Body *?/uew(liet#\4*!@j[>.6-f!y$\

slide-21
SLIDE 21
  • AES 256-bit keys
  • CTR Mode
  • cryptography python library

Method of encryption

slide-22
SLIDE 22

Method of encryption

slide-23
SLIDE 23

Demo

Image: https://pixabay.com/en/crossed-fingers-cross-fingers-363478/
slide-24
SLIDE 24

What's so hard?

  • Etag
  • Conditional and ranged GETs
  • Container listing
  • Maximum length increase from

Encoding encrypted headers

  • Future challenges
  • Content-type
  • Container tempURL metadata
  • Client keys:
  • Container-sync
  • ACLs
  • TempURLs
  • public containers
slide-25
SLIDE 25

Status

  • https://github.com/openstack/swift/tree/feature/crypto
  • Goal for Newton Release
slide-26
SLIDE 26

Team work

Contributions from:

Sam Merritt (SwiftStack) Mahati Chamarthy (Intel) Hamdi Roumani (IBM) Thiago Da Silva (Red Hat) Peter Chng (IBM) Jonathan Hinson (IBM) Tim Burke (SwiftStack) Christian Cachin (IBM) Janie Richling (IBM) Alistair Coles (HPE)

slide-27
SLIDE 27

Spec: http://specs.openstack.org/openstack/swift-specs/specs/in_progress/at_rest_encryption.html Code: https://github.com/openstack/swift/tree/feature/crypto