[openstack-dev] [cinder][glance]Upload encrypted volumes to images

Daniel P. Berrange berrange at redhat.com
Mon Nov 23 14:30:00 UTC 2015


On Mon, Nov 23, 2015 at 03:45:55AM +0000, Li, Xiaoyan wrote:
> Hi all,
> More help about volume encryption is needed. 
> 
> About uploading encrypted volumes to image, there are three options:
> 1. Glance only keeps non-encrypted images. So when uploading encrypted
> volumes to image, cinder de-crypts the data and upload.

This may be desirable in some cases, but for people wanting to provide
end to end encryption of all tenant data, unencrypting volumes when
converting them to images to store is glance is really the last thing
we want to do. Once tenant data is encrypted, the goal should be to
never decrypt it again except when booting an instance with the volume
or image.

> 2. Glance maintain encrypted images. Cinder just upload the encrypted
> data to image.

That is highly desirable as an option, since it allows glance to remain an
relatively untrusted component. The image signature work will soon allow
Nova to consider glance as untrusted, by allowing Nova to verify that Glance
has not tampered with the data that was provided by user, nor tried to serve
Nova data from a different user.  Following this lead, I think the ability
to prevent Glance seeing any plaintext data from the image is an obvious
beneficial step forwards.

> 3. Just prevent the function to upload encrypted volumes to images.

That's obviously fairly limiting.

> Option 1 No changes needed in Glance. But it may be not safe. As we
> decrypt the data, and upload it to images.

s/may be not safe/is not safe/.

> Option 2 This imports encryption to Glance which needs to manage the
> encryption metadata.

Glance doesn't need to do all that much besides recording a few
bits of metadata, so that doesn't seem unreasonable todo.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|



More information about the OpenStack-dev mailing list