Open Stack

On 3/8/2013 12:15 PM, Nate Reller wrote:
> Malini,
>
> Sorry for the long reply, but I have a lot of thoughts on this. I like the
> proposal overall, but I have some concerns and suggestions.
>
> *** Master Key and Access for Compute Hosts ***
>
> My biggest concerns are with regards to the master key and preventing access to
> the compute hosts. In our proposal, encrypt-cinder-volumes, the compute host is
> encrypting the cinder volume data after it leaves the VM and before it is sent
> to the cinder host. Clearly we would like for compute hosts to have access to
> the Key Manager to allow them to encrypt the data.
>
> My other concern is with the master key idea. The compute hosts will be
> responsible for encrypting and decrypting the data for cinder volumes. If the
> keys for doing this are encrypted by a master key then the master key must be
> shared by all compute hosts that will use the cinder volume. That would require
> copying the master key to multiple platforms and that makes me nervous. This is
> my biggest concern with master keys encrypting other keys. It forces the master
> key to be shared with all entities that will use the key.

We don't need the master key to be the same for all hosts. Just that the 
hosts get their master
key from a different server which will refuse to provide it should the 
requesting server be
de-authorized or inexplicably be relocated to a totally different network.

Transferring of keys is indeed something to be nervous about. That is 
why I was proposing
that the Key Manager allow host-A to transfer the key identified by X to 
host-B. The actual
transfer would be encrypted so that decryption required B's private key 
and A's public key.

Each host would store all keys within the TPM (or other form of 
"lockbox") with a Master Key,
which probably should be unique for that host.