[openstack-dev] Volume Encryption

Caitlin Bestler Caitlin.Bestler at nexenta.com
Fri Jan 11 23:13:33 UTC 2013

Benjamin, Bruce P wrote:

> Caitlin Bestler wrote:
>> How does encryption relate to snapshots?
>> Is the snapshot encrypted with the same key as the volume?
>> Not doing so would force snapshot creation to be a very time consuming
>> operation. The most efficient snapshots are ZFS style where the current
>> blocks are just frozen, which would mean they are still encrypted.
>> Accessing the snapshot requires access to the key that the volume used.
>> How will this be tracked?

>Taking a snapshot of a volume will require associating the encryption key(s) used by the original volume with the snapshot.

If every snapshot has a copy of the key, and every clone created from the snapshot requires a copy of the key, we end up
with a key that is being copied everywhere.

By default any method of communicating that key will only be as secure as general control plane communications, which
is generally less secure than what end users desire for data at rest.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130111/bd5ea287/attachment.html>

More information about the OpenStack-dev mailing list