[openstack-dev] Volume Encryption
Clark, Robert Graham
robert.clark at hp.com
Sat Feb 16 10:00:31 UTC 2013
I can't wait to talk about this at the summit.
One of the primary concerns I have is around key management, the way
authorisation happens here, recommendations about key-server anti-afinity
with nodes/chassis containing encrypted data etc.
Should make for a fun discussion.
On 15/02/2013 19:58, "Benjamin, Bruce P." <Bruce.Benjamin at jhuapl.edu>
wrote:
>On 2/12/2013, Caitlin Bestler wrote:
>>> I'd recommend that OpenStack just use the technology that is
>>>available, and specifically avoid endorsing any of the options.
>
>To address this issue and provide flexibility for the default encryption
>options for the proposed volume encryption feature, the implementation
>now exposes the dm-crypt options via Nova's configuration file. All
>relevant options and default values are configurable through this file,
>with present settings as follows: cryptsetup_default_cipher:
>aes-xts-plain64, cryptsetup_default_key_size: 256, and
>cryptsetup_default_hash: None. Note that any parameter specified by the
>value 'None' will revert to the default values compiled into cryptsetup
>(and I just heard that these differ depending on the Linux distribution.)
>
>
>BTW, though the volume encryption feature didn't make it into Grizzly due
>to the late submission, our group will continue this work with solid
>plans to submit this and other related code for Havana.
>
>
>_______________________________________________
>OpenStack-dev mailing list
>OpenStack-dev at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list