[openstack-dev] [nova] Encrypted Ephemeral Storage

Coffman, Joel M. Joel.Coffman at jhuapl.edu
Thu Apr 14 16:56:05 UTC 2016 

> Upon reading the source, I don't see "cryptsetup luksFormat" being called anywhere (nova/libvirt/storage/*).
Check out imagebackend.py:Lvm.create_image<https://github.com/openstack/nova/blob/master/nova/virt/libvirt/imagebackend.py#L690> and dmcrypt.py:create_volume<https://github.com/openstack/nova/blob/master/nova/virt/libvirt/storage/dmcrypt.py#L48>.

> How is this feature envisioned to work?
The LVM volume with the '-dmcrypt' suffix is the unencrypted device that is passed to the VM. From a DevStack machine with an encrypted instance:

$ sudo cryptsetup status /dev/mapper/065859b2-50d6-46d6-927a-2dfd07db3306_disk-dmcrypt

/dev/mapper/065859b2-50d6-46d6-927a-2dfd07db3306_disk-dmcrypt is active and is in use.

  type:    PLAIN

  cipher:  aes-xts-plain64

  keysize: 256 bits

  device:  /dev/mapper/stack--volumes--default-065859b2--50d6--46d6--927a--2dfd07db3306_disk

  offset:  0 sectors

  size:    2097152 sectors

  mode:    read/write

$ sudo fuser -vam /dev/mapper/065859b2-50d6-46d6-927a-2dfd07db3306_disk-dmcrypt

                     USER        PID ACCESS COMMAND

/dev/dm-1:           libvirt-qemu   8429 F.... qemu-system-x86

While information in the '*-dmcrypt' device is visible to a root user on the compute host, the underlying device (stack--volumes--default-* in the example above) is encrypted, and everything written to the underlying disk is also encrypted. Try searching for the text in the underlying device – you shouldn't be able to find it.

Joel


From: Chris Buccella <chris.buccella at verilume.com<mailto:chris.buccella at verilume.com>>
Reply-To: "openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Date: Monday, April 11, 2016 at 1:06 PM
To: "openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Subject: [openstack-dev] [nova] Encrypted Ephemeral Storage

I've been looking into using encrypted ephemeral storage with LVM. With the [ephemeral_storage_encryption] and [keymgr] sections to nova.conf, I get an LVM volume with "-dmcrypt" is appended to the volume name, but otherwise see no difference; I can still grep for text inside the volume.

Upon reading the source, I don't see "cryptsetup luksFormat" being called anywhere (nova/libvirt/storage/*).

I was expecting a new encrypted LVM volume when a new instance was created. Are my expectations misplaced? How is this feature envisioned to work?


Thanks,

-Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160414/8a7b6618/attachment.html>

More information about the OpenStack-dev mailing list