[openstack-dev] Volume Encryption

Caitlin Bestler Caitlin.Bestler at nexenta.com
Thu Dec 27 18:06:57 UTC 2012

Bryan D. Payne wrote:

> - How do you specify encryption algorithms / key length?
> - Need a lot more details on the key management side.  In particular, what would you implement
>   here if the BP is accepted?  And how does the key management link back to Keystone... or does it?

This is addressing some critical weaknesses of controlling encryption through openstack rather than leaving
this strictly to the storage providers.

The weakest link here will be the HTTPS connections and the security of the OpenStack databases. With
almost any choice of block encryption the blocks themselves will be more secure than the keys needed
to unlock them will be.

There is something inverted about having a better lock on the door than on the box that holds the keys.

I do not think this is a solvable problem. Just improving the messaging and database security for Cinder
Encryption will do no good. An attacker can take control of nova itself to gain access to this information.

Rather than upgrading the entire openstack security infrastructure, why not just let each cinder server
Store its own keys to volumes that it encrypted. Just require that the keys be store on a separate device.
Storing the keys on a different machine exposes the keys, and makes the security no better than the
encryption used for messaging.

Yes, this means that if the block server loses the key that the data is lost. That's why you take snapshots
and replicate them elsewhere.

Having a universal key that can unlock an encrypted volume *anywhere* means that your encryption
Is not better than the encryption used to transport and save the key.

>   Are you linking the keys to specific users?  Or is this just a system-level encryption that has no direct linkage to users?

The current proposal does not address end-to-end encryption, so it's focus is more on protecting data while it is at rest.
As such the current access control logic would determine who can mount a given volume, independent of whether that
volume was stored in an encrypted fashion.

The only reason to involve users in the encryption would be if you were providing end-to-end encryption where the blocks
Were no decrypted until they were delivered to the client machine.

More information about the OpenStack-dev mailing list