Skip to content

RBD Encryption Support #2039

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
axboe merged 1 commit into from
Jan 20, 2026
Merged

RBD Encryption Support #2039

axboe merged 1 commit into from
Jan 20, 2026
+140 −2

Conversation

@Greenpepper15
Copy link

@Greenpepper15 Greenpepper15 commented Jan 16, 2026

Summary
This PR adds support for testing Ceph librbd client-side encryption (AES-XTS) by allowing fio to load LUKS keys for an existing image with librbd. After the loading operation any IO to the rbd image will be encrypted/decrypted.

See the Ceph documentation for this feature: https://docs.ceph.com/en/reef/rbd/rbd-encryption/

Motivation
librbd has supported encryption/decryption since Ceph Pacific (16.2.z). However, the fio rbd engine currently lacks the hooks to load encryption context. This prevents users from benchmarking the crypto overhead of this librbd feature.

Implementation Details

  • Adds configure configuration to detect if the linked librbd supports rbd_encryption_load.
  • Adds two new job options:
    • rbd_encryption_format: (luks1, luks2)
    • rbd_encryption_passphrase: The key/passphrase to unlock the image.
  • Uses rbd_encryption_load() during the connection phase to load encryption context.

Notes on Design

  • No Auto-Formatting: This patch does not use rbd_encryption_format. It is assumed the user has already provisioned and formatted the image using the Ceph CLI (rbd encryption format ...). This avoids accidental data destruction or re-formatting overhead during benchmark runtime.
    • I could add Auto-Formatting by trying to load the encryption context and formatting if that fails, if you want me to.
  • Backward Compatibility: The feature is guarded by CONFIG_RBD_ENCRYPTION. If fio is built against an older Ceph version (pre-Pacific), the options are unavailable, and the engine behaves as before.

Example Job File

[encrypted-test]
ioengine=rbd
pool=bench_pool
rbdname=test_image
# New encryption options
rbd_encryption_format=luks2
rbd_encryption_passphrase=my_secret_passphrase
rw=randwrite
bs=4k

And please review the documentation I wrote. I am unsure if the phrasing and syntax I used is consistent with the rest of the documentation.

sitsofe
sitsofe reviewed Jan 16, 2026
View reviewed changes
sitsofe
sitsofe reviewed Jan 16, 2026
View reviewed changes
Copy link
Collaborator

@sitsofe sitsofe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • I'm fine with your choice not to auto-format the image (but I'm not benchmarking Ceph so perhaps I'm not the target audience)
  • Please squash these commits into one - this can be seen as being atomic and can go in all in one go
  • You may want to move some of the PR info into the commit message

@Greenpepper15 Greenpepper15 force-pushed the rbd-encryption-support branch 2 times, most recently from ffb7ad2 to 870d6cf Compare January 19, 2026 05:36
@Greenpepper15
Copy link
Author

Greenpepper15 commented Jan 20, 2026

Cool all tests passed.
Do you have more suggestions?

axboe
axboe reviewed Jan 20, 2026
View reviewed changes
@axboe
Copy link
Owner

axboe commented Jan 20, 2026

@Greenpepper15 Just that minor nit, if you fix it up and amend the commit and force push it, I can pick it up. Rest looks fine to me.

engines/rbd: add support for LUKS encryption
067ffa4 
Currently, the rbd engine can only attach to unencrypted images.
This prevents users from benchmarking the performance impact of
librbd's client-side encryption features.

This patch adds two new options, 'rbd_encryption_format' and
'rbd_encryption_passphrase', allowing fio to perform
encryption/decryption IO with librbd before starting I/O.

Signed-off-by: David Mohren <[email protected]>
@Greenpepper15 Greenpepper15 force-pushed the rbd-encryption-support branch from 870d6cf to 067ffa4 Compare January 20, 2026 19:44
@axboe axboe merged commit 26cb608 into axboe:master Jan 20, 2026
@axboe
Copy link
Owner

axboe commented Jan 20, 2026

Pulled with a fixup added on top, github doesn't really render things properly and you had various cases of trailing whitespace or incorrect usage of tabs vs spaces.

@Greenpepper15
Copy link
Author

Greenpepper15 commented Jan 20, 2026
edited
Loading

Thanks for the merge!
Sorry for the inconvenience. I will be more careful next time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@axboe axboe axboe left review comments

@sitsofe sitsofe sitsofe left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Greenpepper15 @axboe @sitsofe