= GlusterFS Encryption =

The default GlusterFS setup does not encrypt its communication. Use the method below enable encryption.

== Keys and Certificates ==
Make an encryption key and make sure to set the `CN` to match the name of the client/server. Repeat this on all the servers and the client.

=== Servers ===
{{{
cd /etc/ssl
openssl genrsa -out glusterfs.key 2048
openssl req -new -x509 -key glusterfs.key -subj "/CN=gluster01" -out glusterfs.pem
}}}

=== Client ===
{{{
cd /etc/ssl
openssl genrsa -out glusterfs.key 2048
openssl req -new -x509 -key glusterfs.key -subj "/CN=glusterclient01" -out glusterfs.pem
}}}

== Certificate Authorities ==

=== Servers ===
Compile all the certificates in one place and concatenate them into `/etc/ssl/glusterfs.ca`. Notice that this will also include the certificates from the client.
{{{
cat gluster01.pem gluster02.pem gluster03.pem glusterclient01.pem > glusterfs.ca
}}}
Copy the certificate authority to all the servers and place it in `/etc/ssl/glusterfs.ca`

=== Client ===
Compile all the server certificates in one place and concatenate them into `/etc/ssl/glusterfs-client.ca`.
{{{
cat gluster01.pem gluster02.pem gluster03.pem > glusterfs-client.ca
}}}
Copy the certificate authority to the client and place it in `/etc/ssl/glusterfs.ca`

== Activate Encryption ==

=== Servers ===
When this file exists the glusterfs server will use the new certificates.
{{{
touch /var/lib/glusterd/secure-access
}}}

Restart the servers
{{{
service glusterfs-server restart
}}}

=== Client ===
On the client you need to create the `/var/lib/glusterd` directory before activating encryption.
{{{
mkdir /var/lib/glusterd/
touch /var/lib/glusterd/secure-access
}}}

== Enable Encryption ==
Ecryption is enabled for a volume from one of the servers.
{{{
gluster volume set www client.ssl on
gluster volume set www server.ssl on
}}}

== Allow Only Specific Hosts ==
We allow only access from known hosts. Run this on one of the servers.
{{{
gluster volume set www auth.ssl-allow 'gluster01,gluster02,gluster03,glusterclient01'
}}}

== Mounting ==
On the client we have to enable ssl for the volume. Add `option transport.socket.ssl-enabled on` to `/etc/glusterfs/www.vol`. The file will now look like this.
{{{
volume remote1
        type protocol/client
        option transport-type tcp
        option remote-host gluster01
        option remote-subvolume /srv/www/brick
        option transport.socket.ssl-enabled on
end-volume
 
volume remote2
        type protocol/client
        option transport-type tcp
        option remote-host gluster02
        option remote-subvolume /srv/www/brick
        option transport.socket.ssl-enabled on
end-volume
 
volume remote3
        type protocol/client
        option transport-type tcp
        option remote-host gluster03
        option remote-subvolume /srv/www/brick
        option transport.socket.ssl-enabled on
end-volume

volume replicate
        type cluster/replicate
        subvolumes remote1 remote2 remote3
end-volume
 
volume writebehind
        type performance/write-behind
        option window-size 1MB
        subvolumes replicate
end-volume
 
volume cache
  type performance/io-cache
  option cache-size 64MB
  subvolumes writebehind
end-volume

}}}