unlock_ceph stores Ceph's disk encryption keys in Vault and restores
them to a tmpfs and links them in for Ceph's use
- security ›
unlock-ceph is a daemon made to accompany a Ceph installation that removes Ceph's dmcrypt keys to remote (Hashicorp Vault) storage to ensure that they are not stored on disk. The motivation for this is to secure against a threat of removing a machine from the datacenter, rather than just throwing away bad disks.