[openstack-dev] [nova][cinder][barbican] Why is Cinder creating symmetric keys in Barbican for use with encrypted volumes?

Lee Yarwood lyarwood at redhat.com
Thu May 25 11:27:01 UTC 2017

On 25-05-17 11:38:44, Duncan Thomas wrote:
> On 25 May 2017 at 11:00, Lee Yarwood <lyarwood at redhat.com> wrote:
> > This has also reminded me that the plain (dm-crypt) format really needs
> > to be deprecated this cycle. I posted to the dev and ops ML [2] last
> > year about this but received no feedback. Assuming there are no last
> > minute objections I'm going to move forward with deprecating this format
> > in os-brick this cycle.
> What is the reasoning for this? There are plenty of people using it, and
> you're going to break them going forward if you remove it.

I didn't receive any feedback indicating that we had any users of plain
when I initially posted to the ML. That said there obviously can be
users out there and my intention isn't to pull support for this format
immediately without any migration path to LUKS etc.

As for the reasoning, the main issue I've seen reported against plain is
that there's always a potential for data loss if an incorrect passphrase
or options are provided when opening the device [1].

There are further reasons for choosing LUKS over plain documented in
various places [2][3][4] that all seem to suggest that it is a better
and safer choice.


[1] https://bugs.launchpad.net/nova/+bug/1639221
[2] https://security.stackexchange.com/questions/90468/why-is-plain-dm-crypt-only-recommended-for-experts
[3] https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions
[4] https://wiki.archlinux.org/index.php/Disk_encryption#Block_device_encryption
Lee Yarwood                 A5D1 9385 88CB 7E5F BE64  6618 BCA6 6E33 F672 2D76

More information about the OpenStack-dev mailing list