[openstack-dev] [nova] Encrypted Ephemeral Storage
chris.buccella at antallagon.com
Mon Apr 25 15:07:10 UTC 2016
Thanks Joel. I was able to try this again and can confirm it works as you
Based on the comments to the RBD encryption change , it looks like there
will be a new direction for ephemeral disk encryption (embedding it in QEMU
directly). I assume LVM will work the same way when the time comes. Will
there be a migration path for the existing ephemeral disk encryption
support for LVM to the new model?
On Thu, Apr 14, 2016 at 12:56 PM, Coffman, Joel M. <Joel.Coffman at jhuapl.edu>
> > Upon reading the source, I don't see "cryptsetup luksFormat" being
> called anywhere (nova/libvirt/storage/*).
> Check out imagebackend.py:Lvm.create_image
> and dmcrypt.py:create_volume
> > How is this feature envisioned to work?
> The LVM volume with the '-dmcrypt' suffix is the *unencrypted* device
> that is passed to the VM. From a DevStack machine with an encrypted
> *$* sudo cryptsetup status
> /dev/mapper/065859b2-50d6-46d6-927a-2dfd07db3306_disk-dmcrypt is active
> and is in use.
> type: PLAIN
> cipher: aes-xts-plain64
> keysize: 256 bits
> offset: 0 sectors
> size: 2097152 sectors
> mode: read/write
> *$* sudo fuser -vam
> USER PID ACCESS COMMAND
> /dev/dm-1: libvirt-qemu 8429 F.... qemu-system-x86
> While information in the '*-dmcrypt' device is visible to a root user on
> the compute host, the underlying device (stack--volumes--default-* in the
> example above) is encrypted, and everything written to the underlying disk
> is also encrypted. Try searching for the text in the underlying device –
> you shouldn't be able to find it.
> From: Chris Buccella <chris.buccella at verilume.com>
> Reply-To: "openstack-dev at lists.openstack.org" <
> openstack-dev at lists.openstack.org>
> Date: Monday, April 11, 2016 at 1:06 PM
> To: "openstack-dev at lists.openstack.org" <openstack-dev at lists.openstack.org
> Subject: [openstack-dev] [nova] Encrypted Ephemeral Storage
> I've been looking into using encrypted ephemeral storage with LVM. With
> the [ephemeral_storage_encryption] and [keymgr] sections to nova.conf, I
> get an LVM volume with "-dmcrypt" is appended to the volume name, but
> otherwise see no difference; I can still grep for text inside the volume.
> Upon reading the source, I don't see "cryptsetup luksFormat" being called
> anywhere (nova/libvirt/storage/*).
> I was expecting a new encrypted LVM volume when a new instance was
> created. Are my expectations misplaced? How is this feature envisioned to
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev