From 7329f2305442647ba5c27a4b200afbfc1f4b0907 Mon Sep 17 00:00:00 2001 From: schmidt-scaled Date: Fri, 19 Jun 2026 16:06:35 +0300 Subject: [PATCH 1/2] docs(nvmf-security): remove inaccurate cluster-level security config NVMe-oF security has no cluster-level configuration. DH-HMAC-CHAP parameters are fixed (digests sha256/sha384/sha512, DH group ffdhe2048), applied at the pool level via --dhchap; host access control and per-host keys are managed per volume. Drop the 'two levels / cluster-wide settings' framing and the 'Cluster Level' subsection that claimed parameters are provisioned at cluster creation, and stop listing the full DH-group set as configurable. --- docs/architecture/concepts/nvmf-security.md | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/docs/architecture/concepts/nvmf-security.md b/docs/architecture/concepts/nvmf-security.md index 54d29195..7e4c576d 100644 --- a/docs/architecture/concepts/nvmf-security.md +++ b/docs/architecture/concepts/nvmf-security.md @@ -5,8 +5,9 @@ weight: 30200 --- Simplyblock supports NVMe-oF transport security to protect data in transit and restrict access to storage subsystems. -Security is configured at two levels: cluster-wide settings define the authentication parameters, while pool-level -settings control which security keys are generated for volumes and their allowed hosts. +Security is enabled at the pool level: turning it on for a pool applies it to every volume created in that pool. Host +access control and the per-host security keys are then managed per volume. There is no cluster-level security +configuration — the DH-HMAC-CHAP parameters are fixed and need not (and cannot) be set when creating a cluster. ## Host Access Control @@ -31,9 +32,10 @@ Simplyblock supports: - **Bidirectional (mutual) authentication**: Both host and target verify each other using a `dhchap_key` (host-to-target) and a `dhchap_ctrlr_key` (target-to-host). -Supported hash algorithms (digests): `sha256`, `sha384`, `sha512` +Simplyblock uses a fixed DH-HMAC-CHAP configuration; these parameters are not configurable: -Supported Diffie-Hellman groups: `null`, `ffdhe2048`, `ffdhe3072`, `ffdhe4096`, `ffdhe6144`, `ffdhe8192` +- Hash algorithms (digests) offered to the host: `sha256`, `sha384`, `sha512` (the host negotiates one). +- Diffie-Hellman group: `ffdhe2048`. DH-HMAC-CHAP keys are automatically generated in the NVMe TP8018 format (`DHHC-1:::`) when a host is added to a volume in a pool with `dhchap_key` enabled in its security options. @@ -48,12 +50,8 @@ PSK keys are automatically generated (256-bit random hex tokens) when a host is ## Configuration Levels -NVMe-oF security is configured at two levels: - -### Cluster Level - -At cluster creation time, DH-HMAC-CHAP parameters (digest algorithms and DH groups) are automatically provisioned. No -specific configuration is required. +NVMe-oF security is configured at the pool level and managed per volume/host. It is **not** configured at the cluster +level — a cluster carries no security settings, and there is no `--host-sec` (or equivalent) option on `cluster create`. ### Pool Level From fcaa2f17f4dd9c48c83256d5f71046e0af0338cd Mon Sep 17 00:00:00 2001 From: noctarius aka Christoph Engelbert Date: Fri, 19 Jun 2026 15:13:39 +0200 Subject: [PATCH 2/2] Clarify NVMe-oF security configuration details --- docs/architecture/concepts/nvmf-security.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/architecture/concepts/nvmf-security.md b/docs/architecture/concepts/nvmf-security.md index 7e4c576d..b3f32ccc 100644 --- a/docs/architecture/concepts/nvmf-security.md +++ b/docs/architecture/concepts/nvmf-security.md @@ -5,9 +5,9 @@ weight: 30200 --- Simplyblock supports NVMe-oF transport security to protect data in transit and restrict access to storage subsystems. -Security is enabled at the pool level: turning it on for a pool applies it to every volume created in that pool. Host -access control and the per-host security keys are then managed per volume. There is no cluster-level security -configuration — the DH-HMAC-CHAP parameters are fixed and need not (and cannot) be set when creating a cluster. +Security is enabled at a storage pool level. Turning it on for a storage pool applies to all volume created in that +specific storage pool. Host access control and the per-host security keys are then managed per volume. There is no +cluster-level security configuration. The DH-HMAC-CHAP parameters are fixed and cannot be set when creating a cluster. ## Host Access Control @@ -32,9 +32,9 @@ Simplyblock supports: - **Bidirectional (mutual) authentication**: Both host and target verify each other using a `dhchap_key` (host-to-target) and a `dhchap_ctrlr_key` (target-to-host). -Simplyblock uses a fixed DH-HMAC-CHAP configuration; these parameters are not configurable: +Simplyblock uses a fixed DH-HMAC-CHAP configuration. The following settings are used: -- Hash algorithms (digests) offered to the host: `sha256`, `sha384`, `sha512` (the host negotiates one). +- Hash algorithms (digests) offered to and negotiated by the host: `sha256`, `sha384`, `sha512`. - Diffie-Hellman group: `ffdhe2048`. DH-HMAC-CHAP keys are automatically generated in the NVMe TP8018 format (`DHHC-1:::`) when @@ -50,8 +50,8 @@ PSK keys are automatically generated (256-bit random hex tokens) when a host is ## Configuration Levels -NVMe-oF security is configured at the pool level and managed per volume/host. It is **not** configured at the cluster -level — a cluster carries no security settings, and there is no `--host-sec` (or equivalent) option on `cluster create`. +NVMe-oF security is configured at the storage pool level and managed per volume/host. It is **not** configured at the cluster +level. In simplyblock, a storage cluster itself carries no security settings. ### Pool Level