Ceph is a control plane plus data plane storage platform. A secure deployment isolates cluster traffic, enforces CephX auth, and protects monitor/quorum services.
- Separate public client network and cluster replication network.
- Restrict MON, MGR, and OSD ports to trusted subnets.
- Block direct internet exposure of Ceph services.
- Keep CephX enabled for all clients and daemons.
- Use least-privilege client caps for RBD/CephFS users.
- Rotate client keys during staff or service ownership changes.
¶ Dashboard and API Security
- Enable TLS for Ceph dashboard.
- Integrate with centralized identity where possible.
- Disable default credentials and enforce MFA on admin access.
¶ Encryption and Key Management
- Encrypt OSD disks (for example with LUKS/ceph-volume options).
- Protect keyrings on disk with strict file permissions.
- Encrypt backups of cluster metadata and config.
¶ Logging and Monitoring
- Centralize MON/MGR/OSD logs.
- Alert on auth failures, daemon flaps, and quorum instability.
- Audit changes to CRUSH map and auth caps.