CephArmor: Secure interface on high-performance clustered storage solution

Thumbnail Image



Journal Title

Journal ISSN

Volume Title


University of New Brunswick


Clustered storage systems stand as dominant solutions in modern-day data production. These systems are a type of storage architecture that allows multiple storage nodes to work together to provide a unified, highly available storage solution. The nodes in a cluster share resources and data, so if one node fails, the other nodes can take over its workload without interrupting the storage service. Clustered storage solutions are typically used in enterprise environments where data availability and reliability are critical requirements. These systems can be adopted directly by an organization or a cloud service provider. Cloud storage represents a straightforward but expensive method to manage a large volume of data. In addition, governmental organizations are reluctant to share clients’ information with any third-party service provider. Ceph represents a sustainable clustered storage solution, supporting object, block, and file storage capabilities with no single point of failure. Employing Ceph in a high-performance environment provides data availability, scalability, and self-balancing capabilities. Despite the strong management, security remains a serious concern in the Ceph storage system. To date, authentication and access control are the only supported security protocols in the system. Data confidentiality will be undermined if a malicious insider or outside intruder accesses storage devices. We proposed a cryptographic-based security interface to provide data confidentiality in this study. CephArmor, as the security API, has been integrated into the lowest storage layer, Rados, of the latest stable version of Ceph, Pacific, and evaluated through 45Drives Storinators, a commercial hardware commodity for storage system solutions. Then we optimized the architectural design of the API to enhance the encryption cost in the write operation. The experimental results indicated performance improvement between the optimized design, BLD, and the initial model, named ALD. Moving forward, we integrated other encryption algorithms into the security interface to evaluate the impact of the encryption algorithm versus the de sign architecture. Although we observed an improvement, the experiments testify to a higher impact of structural design against the encryption algorithm.