[openstack-dev] Volume Encryption

Benjamin, Bruce P. Bruce.Benjamin at jhuapl.edu
Fri Jan 11 22:48:24 UTC 2013

Caitlin Bestler wrote:
> How does encryption relate to snapshots?
> Is the snapshot encrypted with the same key as the volume?
> Not doing so would force snapshot creation to be a very time consuming
> operation. The most efficient snapshots are ZFS style where the current
> blocks are just frozen, which would mean they are still encrypted.
> Accessing the snapshot requires access to the key that the volume used.
> How will this be tracked?
Taking a snapshot of a volume will require associating the encryption key(s) used by the original volume with the snapshot.

> How do we prevent the key from being deleted while there are snapshots that
> still rely on it?
Making a copy of the encryption key(s) of the original volume avoids the possibility of deleting keys required by a snapshot.

> Is this compatible with thin provisioning of clone copies (especially for
> local volumes)?  Is a thinly provisioned clone copy required to use the
> same key as the snapshot it was based upon?
The clone would be required to use the same key. If there is a requirement for a local copy using a separate key, this would be considered, but this would double the encryption processing performance penalty.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130111/26e877fa/attachment.html>

More information about the OpenStack-dev mailing list