[openstack-dev] [Swift] Server Side Encryption

Jamie Lennox jamielennox at redhat.com
Thu Nov 21 00:24:29 UTC 2013

On Wed, 2013-11-20 at 13:26 +0200, David Hadas wrote:
> Hi all,
> We created a wiki page discussing the addition of software side encryption
> to Swift:
> "The general scheme is to create a swift proxy middleware that will encrypt
> and sign the object data during PUT and check the signature + decrypt it
> during GET. The target is to create two domains - the user domain between
> the client and the middleware where the data is decrypted and the system
> domain between the middleware and the data at rest (on the device) where
> the data is encrypted.
> Design goals include: (1) Extend swift as necessary but without changing
> existing swift behaviors and APIs; (2) Support encrypting data incoming
> from unchanged clients"
> See:  https://wiki.openstack.org/wiki/Swift/server-side-enc
> We would like to invite feedback.

Please make sure to have a look at the KDS service proposal and how it
deals with encrypting keys for storage.
https://review.openstack.org/#/c/37118/ It is abandoned as it has been
decided it should be split into its own service rather than live in
keystone however the principals won't change much. 

It handles using a master encryption key to generate a per host key with
which it signs and encrypts using the crypto functions that are already
in oslo. 

That part of the code isn't too hard to write on a per use basis but if
server side encryption is going to become more widely adopted by
projects then I am interested in helping extract this functionality into
something generic for OSLO.

> DH
> Regards,
> David Hadas,
> Openstack Swift ATC, Architect, Master Inventor
> IBM Research Labs, Haifa
> Tel:    Int+972-4-829-6104
> Fax:   Int+972-4-829-6112
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list