swift object encryption
play

Swift Object Encryption Janie Richling IBM Alistair Coles Hewlett - PowerPoint PPT Presentation

Dec 31, 2022 •268 likes •549 views

Swift Object Encryption Janie Richling IBM Alistair Coles Hewlett Packard Enterprise Taking a look upstream Image: https://pixabay.com/en/sailor-spyglass-man-ship-lookout-40090/ Its a community effort Contributions from: Sam Merritt

  1. Swift Object Encryption Janie Richling IBM Alistair Coles Hewlett Packard Enterprise

  2. Taking a look upstream… Image: https://pixabay.com/en/sailor-spyglass-man-ship-lookout-40090/

  3. It’s a community effort Contributions from: Sam Merritt (SwiftStack) Mahati Chamarthy (Intel) Hamdi Roumani (IBM) Thiago Da Silva (Red Hat) Peter Chng (IBM) Jonathan Hinson (IBM) Tim Burke (SwiftStack) Christian Cachin (IBM) Janie Richling (IBM) Alistair Coles (HPE) Image: Rusty Weise

  4. Swift is an object store REST API via HTTP protocol accounts containers objects img_1 tenant_1 images Create ( PUT, COPY) img_2 Read ( GET, HEAD) REST API 001 Update ( POST) pictures 002 Delete ( DELETE) tenant_2 video abc

  5. Swift is an object store REST API via HTTP protocol accounts containers objects img_1 curl http://swift:8080/v1/tenant_1/images/004 -X PUT tenant_1 images img_2 REST API 001 pictures 002 tenant_2 video abc curl http://swift:8080/v1/tenant_2/video/abc -X GET

  6. Swift is scalable Load is distributed using modified consistent hashing Storage nodes Proxy servers curl http://swift:8080/v1/tenant_1/images/004 -X PUT curl http://swift:8080/v1/tenant_2/video/abc -X GET

  7. Swift is scalable Load is distributed using modified consistent hashing Storage nodes Proxy servers curl http://swift:8080/v1/tenant_1/images/004 -X PUT curl http://swift:8080/v1/tenant_2/video/abc -X GET

  8. Swift is durable Data is protected using erasure coding or replication Storage nodes Proxy servers curl http://swift:8080/v1/tenant_1/images/004 -X PUT curl http://swift:8080/v1/tenant_2/video/abc -X GET

  9. Swift is durable Data is protected using erasure coding or replication Storage nodes Proxy servers curl http://swift:8080/v1/tenant_1/images/004 -X PUT curl http://swift:8080/v1/tenant_2/video/abc -X GET

  10. Swift is not insecure Access is controlled e.g. using Keystone identity service and RBAC Only proxy nodes have externally facing network interfaces Storage nodes Proxy servers Image: https://pixabay.com/en/shield-fence-wire-mesh-fence-note-511714/

  11. But what about this guy?

  12. Hardware encryption Self encrypting drives/disk controllers + performance - hardware upgrade + metadata is encrypted as well as data - no support for user provided keys Storage nodes Proxy servers Image: https://pixabay.com/en/hard-drive-hdd-disk-data-store-503960/

  13. Virtual block device encryption + software solution - no support for user provided keys + metadata is encrypted as well as data - repeated encryption of object replicas - data must move to new virtual disks Storage nodes Proxy servers dm-crypt

  14. Swift encryption middleware + allows integration with Baribcan - only user data is encrypted + allows user provided keys (BYOK) - existing data needs migrating to be encrypted + upgrade without impacting existing data + internal data in flight is encrypted Storage nodes Proxy servers Image: https://pixabay.com/en/under-construction-construction-area-150271/

  15. Swift encryption middleware decrypter keymaster encrypter last middleware First middleware

  16. Service managed keys Root Secret Request with Keys are never cached or credentials persisted decrypter keymaster encrypter last middleware First middleware

  17. Key Derivation account1 Key derivation alg hmac(Secret, 'account1/containerA') = containerB containerA hmac(Secret, object2 object3 object1 'account1/containerA/object1') =

  18. BYOK: push model Request with Keys are never cached or credentials persisted decrypter keymaster encrypter last middleware First middleware

  19. BYOK: pull model Key Server/ Barbican Request with credentials decrypter keymaster encrypter last middleware First middleware

  20. What gets encrypted Key Pre-encrypt Values Key Post-encrypt Values Etag 4b7550f00f2e80408b8bb2d6dc7f705f Etag LQIpWr6BPR1RUDxmnWrQX1JemA3J egzPI9yd9QmkBOo= Content- text/plain Content- text/plain type type Content- 28 Content- 28 length length X-Object- Bank account password X-Object- VEVYRwZYXVVC9QTEFJTg== Meta-Tag Meta-Tag Body correct horse battery staple Body *?/uew(liet#\4*!@j[>.6-f!y$\

  21. Method of encryption - AES 256-bit keys - CTR Mode - cryptography python library

  22. Method of encryption

  23. Demo Image: https://pixabay.com/en/crossed-fingers-cross-fingers-363478/

  24. What's so hard? • Etag • Conditional and ranged GETs • Container listing • Maximum length increase from Encoding encrypted headers • Future challenges • Content-type • Container tempURL metadata • Client keys: • Container-sync • ACLs • TempURLs • public containers

  25. Status • https://github.com/openstack/swift/tree/feature/crypto • Goal for Newton Release

  26. Team work Contributions from: Sam Merritt (SwiftStack) Mahati Chamarthy (Intel) Hamdi Roumani (IBM) Thiago Da Silva (Red Hat) Peter Chng (IBM) Jonathan Hinson (IBM) Tim Burke (SwiftStack) Christian Cachin (IBM) Janie Richling (IBM) Alistair Coles (HPE)

  27. Spec: http://specs.openstack.org/openstack/swift-specs/specs/in_progress/at_rest_encryption.html Code: https://github.com/openstack/swift/tree/feature/crypto

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OpenStack Swift OpenStack Summit Atlanta 2014 Martin Lanner & Hugo Kuo May 15, 2014 Agenda

OpenStack Swift OpenStack Summit Atlanta 2014 Martin Lanner & Hugo Kuo May 15, 2014 Agenda

OpenStack Swift OpenStack Summit Atlanta 2014 Martin Lanner & Hugo Kuo May 15, 2014 Agenda Object Storage & Swift How Swift Works Installing Swift: Hands-on Lab Manual Swift installation (20 minutes)

1.15k views • 59 slides
COMBINING SWIFT AND OBJECTIVE-C AGENDA Using Objective-C from Swift Using Swift from

COMBINING SWIFT AND OBJECTIVE-C AGENDA Using Objective-C from Swift Using Swift from

COMBINING SWIFT AND OBJECTIVE-C AGENDA Using Objective-C from Swift Using Swift from Objective-C Objective-C Behavior in Swift Classes IMPORTING OBJECTIVE-C INTO SWIFT APPLE FRAMEWORKS No additional setup required! import UIKit import

339 views • 22 slides
SWIFT presentation SWIFT for Corporates - Do not share without SWIFT's prior consent 2 Whats

SWIFT presentation SWIFT for Corporates - Do not share without SWIFT's prior consent 2 Whats

SWIFT presentation SWIFT for Corporates - Do not share without SWIFT's prior consent 2 Whats SWIFT? 3 +12k customers connected core values worldwide community innovation +200 excellence countries 3 a cooperative serving the

572 views • 34 slides
Developing applications using OpenStack Swift as Storage All about the API features to power up

Developing applications using OpenStack Swift as Storage All about the API features to power up

Developing applications using OpenStack Swift as Storage All about the API features to power up your apps Christian Schwede, Software Engineer, Red Hat FOSDEM 2018, Brussels What is OpenStack Swift? Object Storage Flat namespace

360 views • 32 slides
Swift Swiftly A quick introduction to the Swift language Oliver Jones Technical Director

Swift Swiftly A quick introduction to the Swift language Oliver Jones Technical Director

Swift Swiftly A quick introduction to the Swift language Oliver Jones Technical Director Disclaimer Learning Swift iBooks The Swift Programming Language Using Swift with Cocoa and Objective-C Apple Developer Documentation

332 views • 32 slides
Swift Follow-Up Observations of s and +GW events Swift follow-up of IceCube

Swift Follow-Up Observations of s and +GW events Swift follow-up of IceCube

Azadeh Keivani Columbia Universi tz AMON Workshop Chiba, Japan May 21, 2019 Swift Follow-Up Observations of s and +GW events Swift follow-up of IceCube neutrinos 2 Swift is a powerful tool to search for transients

811 views • 30 slides
Building a Parallel Cloud Storage System using OpenStacks Swift Object Store and

Building a Parallel Cloud Storage System using OpenStacks Swift Object Store and

Building a Parallel Cloud Storage System using OpenStacks Swift Object Store and Transformative Parallel I/O or Parallel Cloud Storage as an Alternative Archive Solution Andrew AJ Burns Kaleb Lora Martel Shorter Esteban Martinez

1.37k views • 29 slides
Encryption at Scale on AWS Matt Campagna campagna@amazon.com Agenda Describe the AWS Key

Encryption at Scale on AWS Matt Campagna campagna@amazon.com Agenda Describe the AWS Key

Encryption at Scale on AWS Matt Campagna campagna@amazon.com Agenda Describe the AWS Key Management Service Client Side Encryption AWS Encryption SDK Server Side Encryption S3 Object Encryption Amazon Simple Storage Service

387 views • 22 slides
Object Striping in Swift OpenStack Summit 2013, Hong Kong Author/Presenter: Shriram Pore, Sr.

Object Striping in Swift OpenStack Summit 2013, Hong Kong Author/Presenter: Shriram Pore, Sr.

Object Striping in Swift OpenStack Summit 2013, Hong Kong Author/Presenter: Shriram Pore, Sr. Architect Contributors: Bipin Kunal, Kashish Bhatia Agenda Problem statement Proposed solution Solution prerequisites Approach - I :

910 views • 65 slides
Good Morning SWIFT HI! I'm Marc Prud'hommeaux marc@glimpse.io Swift Public beta: June 2014

Good Morning SWIFT HI! I'm Marc Prud'hommeaux marc@glimpse.io Swift Public beta: June 2014

Good Morning SWIFT HI! I'm Marc Prud'hommeaux marc@glimpse.io Swift Public beta: June 2014 v1.0: September 2014 v1.2: February 2015 POLL: Swift? Agenda 1. Swift Syntax 2. Interesting Stuff 3. Questions (GOTO Guide) // Swift Bank &

1.53k views • 102 slides
Pippa Leary, CEO SWIFT MEDIA CEO Messages What is Swift? TRANSITIONING TO A STRONGER

Pippa Leary, CEO SWIFT MEDIA CEO Messages What is Swift? TRANSITIONING TO A STRONGER

ASX: SW1 H1 Results February 27, 2020 Pippa Leary, CEO SWIFT MEDIA CEO Messages What is Swift? TRANSITIONING TO A STRONGER FUTURE H1 Update Swift is a specialist media company delivering a high Strategic Progress proportion of

964 views • 16 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
Distribution Nion Swift Workshop Chris Meyer 2018 October 5 Nion Swift is software for

Distribution Nion Swift Workshop Chris Meyer 2018 October 5 Nion Swift is software for

Nion Swift Plug-in Distribution Nion Swift Workshop Chris Meyer 2018 October 5 Nion Swift is software for integrating instrument control, data acquisition, organization, visualization, and analysis using Python. Nion Swift Plug-in

199 views • 15 slides
Swift Fox By Ruby Stucki Looks The swift fox is a small, light orange-tan fox with large ears,

Swift Fox By Ruby Stucki Looks The swift fox is a small, light orange-tan fox with large ears,

Swift Fox By Ruby Stucki Looks The swift fox is a small, light orange-tan fox with large ears, fur, and a black-tipped tail. It is 5 to 7 pounds when full grown. Where It Lives The swift fox lives in a den on short-grass prairies and

650 views • 8 slides
SWIFT: Administration SWIM Industry Collaboration Workshop #10 SWIM, Services & SWIFT

SWIFT: Administration SWIM Industry Collaboration Workshop #10 SWIM, Services & SWIFT

Federal Aviation SWIFT: Administration SWIM Industry Collaboration Workshop #10 SWIM, Services & SWIFT (SWIM Industry-FAA Team) FAA SWIM Program Communications, Information and Network Programs May 20 th , 2020 SWIFT Collaborative

2.09k views • 91 slides
SWIFT: Administration SWIM Industry Collaboration Workshop #6 SWIM, Services & SWIFT

SWIFT: Administration SWIM Industry Collaboration Workshop #6 SWIM, Services & SWIFT

Federal Aviation SWIFT: Administration SWIM Industry Collaboration Workshop #6 SWIM, Services & SWIFT (SWIM Industry-FAA Team) FAA SWIM Program Communications, Information and Network Programs May 21-22, 2018 SWIFT Collaborative

2.39k views • 140 slides
Web Security Course: EPL 682 Name: Savvas Savva [1] A. Barth and C. Jackson and J. Mitchell ,

Web Security Course: EPL 682 Name: Savvas Savva [1] A. Barth and C. Jackson and J. Mitchell ,

Web Security Course: EPL 682 Name: Savvas Savva [1] A. Barth and C. Jackson and J. Mitchell , Robust Defenses for Cross - Site Request Forgery, pub. in 15th ACM Conference, 2008. [2] L. Huang and A. Moshchuk and H. Wang , Clickjacking:

828 views • 57 slides
Virtual Private Networks -Prekshu Ajmera Virtual Private Network Internet runs on public

Virtual Private Networks -Prekshu Ajmera Virtual Private Network Internet runs on public

Virtual Private Networks -Prekshu Ajmera Virtual Private Network Internet runs on public lines that are insecure Need to communicate securely Private lines : costly option VPN Secure private communications over public

671 views • 27 slides
Public Information Meeting Davis Pressure Plane Expansion Phase 1 Project No. WUOP16011 January

Public Information Meeting Davis Pressure Plane Expansion Phase 1 Project No. WUOP16011 January

Public Information Meeting Davis Pressure Plane Expansion Phase 1 Project No. WUOP16011 January 31, 2018 Ms. Lana Wolff City of Arlington City Council Member (District 5) (817) 459-6122 Keith Hamby City of Arlington Construction Inspector

248 views • 13 slides
2019 SMP Packages 1-V Sira Guajardo, P.E. Mariya Kret, P.E. Pipelines Governmental Janie

2019 SMP Packages 1-V Sira Guajardo, P.E. Mariya Kret, P.E. Pipelines Governmental Janie

2019 SMP Packages 1-V Sira Guajardo, P.E. Mariya Kret, P.E. Pipelines Governmental Janie Powell Contract Administrator Jonathan Miranda, MSJP Contract Administrator Pre-Bid Meeting Monday, August 6, 2018 August 6, 2018 Page 2 Oral

638 views • 48 slides
SW I FT CONFERENCE 2 0 0 6 PAVEMENT DEFECTS AND REPAI R Mounir Moughabghab PEng AAE Outline 1 .

SW I FT CONFERENCE 2 0 0 6 PAVEMENT DEFECTS AND REPAI R Mounir Moughabghab PEng AAE Outline 1 .

SW I FT CONFERENCE 2 0 0 6 PAVEMENT DEFECTS AND REPAI R Mounir Moughabghab PEng AAE Outline 1 . I ntroduction to Pavem ent Defects 1 . I ntroduction to Pavem ent Defects 2 . Pavem ent Quality Characteristics 2 . Pavem ent Quality

442 views • 32 slides
2/12/2019 Northeast Healthcare Preparedness Coalition Husky Energy Response Jo M. Thompson, MPH,

2/12/2019 Northeast Healthcare Preparedness Coalition Husky Energy Response Jo M. Thompson, MPH,

2/12/2019 Northeast Healthcare Preparedness Coalition Husky Energy Response Jo M. Thompson, MPH, Regional Healthcare Preparedness Coordinator Adam Shadiow, MBA, Regional Healthcare Preparedness Coordinator Marilyn Cluka, MS, RN, PHN, Public

604 views • 14 slides
THIALFI A Client Notification Service for Internet-Scale Applications Authors: Atul Adya, Gregory

THIALFI A Client Notification Service for Internet-Scale Applications Authors: Atul Adya, Gregory

THIALFI A Client Notification Service for Internet-Scale Applications Authors: Atul Adya, Gregory Cooper, Daniel Myers, Michael Piatek Google, Inc. Karol Nienatowski Problem Ensuring the freshness of client data for applications that rely

616 views • 39 slides
User & Device Identity For Microservices @ Netflix Scale Satyajit Thadeshwar QCon San

User & Device Identity For Microservices @ Netflix Scale Satyajit Thadeshwar QCon San

User & Device Identity For Microservices @ Netflix Scale Satyajit Thadeshwar QCon San Francisco 2019 Logged out? #$%&! User & Device Identity for Microservices @ Netflix Scale Satyajit Thadeshwar Logged out? #$%&! User

1.28k views • 109 slides

More recommend