¶ Authentication and Access
- Use Cephx authentication for all clients and daemons.
- Create scoped keyrings per service with minimal capabilities.
- Protect admin keyrings and never distribute cluster-admin keys broadly.
- Separate public and cluster networks.
- Restrict MON/MGR/OSD ports to trusted nodes only.
- Block direct public access to internal Ceph control ports.
¶ Encryption and Data Safety
- Enable encryption at rest for OSD devices (LUKS where applicable).
- Use TLS for dashboard and API access.
- Rotate credentials and certificates periodically.
- Keep cluster versions patched and aligned.
- Enable audit logging for administrative actions.
- Test disaster recovery with snapshot and pool restore procedures.