[openstack-dev] [cinder][nova]Move encryptors to os-brick
Ben Swartzlander
ben at swartzlander.org
Fri Nov 20 19:44:17 UTC 2015
On 11/20/2015 01:19 PM, Daniel P. Berrange wrote:
> On Fri, Nov 20, 2015 at 02:45:15PM +0200, Duncan Thomas wrote:
>> Brick does not have to take over the decisions in order to be a useful
>> repository for the code. The motivation for this work is to avoid having
>> the dm setup code copied wholesale into cinder, where it becomes difficult
>> to keep in sync with the code in nova.
>>
>> Cinder needs a copy of this code since it is on the data path for certain
>> operations (create from image, copy to image, backup/restore, migrate).
>
> A core goal of using volume encryption in Nova to provide protection for
> tenant data, from a malicious storage service. ie if the decryption key
> is only ever used by Nova on the compute node, then cinder only ever sees
> ciphertext, never plaintext. Thus if cinder is compromised, then it can
> not compromise any data stored in any encrypted volumes.
There is a difference between the cinder service and the storage
controller (or software system) that cinder manages. You can give the
decryption keys to the cinder service without allowing the storage
controller to see any plaintext.
As Walt says in the relevant patch [1], expecting cinder to do data
management without ever performing I/O is unrealistic. The scenario
where the compute admin doesn't trust the storage admin is
understandable (although less important than other potential types of
attacks IMO) but the scenario where the guy managing nova doesn't trust
the guy managing cinder makes no sense at all.
I support moving the code into a common place, and doing responsible key
management, and letting the cinder guys make sure that storage
controllers never see plaintext in the cases when they're not supposed to.
-Ben
[1] https://review.openstack.org/#/c/247372/
> If cinder is looking to get access to the dm-seutp code, this seems to
> imply that cinder will be getting access to the plaintext data, which
> feels to me like it de-values the volume encryption feature somewhat.
>
> I'm fuzzy on the details of just what code paths cinder needs to be
> able to convert from plaintext to ciphertext or vica-verca, but in
> general I think it is desirable if we can avoid any such operation
> in cinder, and keep it so that only Nova compute nodes ever see the
> decrypted data.
>
> Regards,
> Daniel
>
More information about the OpenStack-dev
mailing list