[openstack-dev] [nova][cinder] Using externally stored keys for encryption

Mohammed Naser mnaser at vexxhost.com
Sun Nov 4 11:53:22 UTC 2018

Hi everyone:

I've been digging around the documentation of Nova, Cinder and the
encrypted disks feature and I've been a bit stumped on something which
I think is a very relevant use case that might not be possible (or it
is and I have totally missed it!)

It seems that both Cinder and Nova assume that secrets are always
stored within the Barbican deployment in the same cloud.  This makes a
lot of sense however in scenarios where the consumer of an OpenStack
cloud wants to operate it without trusting the cloud, they won't be
able to have encrypted volumes that make sense, an example:

- Create encrypted volume, keys are stored in Barbican
- Boot VM using said encrypted volume, Nova pulls keys from Barbican,
starts VM..

However, this means that the deployer can at anytime pull down the
keys and decrypt things locally to do $bad_things.  However, if we had
something like any of the following two ideas:

- Allow for "run-time" providing secret on boot (maybe something added
to the start/boot VM API?)
- Allow for pointing towards an external instance of Barbican

By using those 2, we allow OpenStack users to operate their VMs
securely and allowing them to have control over their keys.  If they
want to revoke all access, they can shutdown all the VMs and cut
access to their key storage management and not worry about someone
just pulling them down from the internal Barbican.

Hopefully I did a good job explaining this use case and I'm just
wondering if this is a thing that's possible at the moment or if we
perhaps need to look into it.


Mohammed Naser — vexxhost
D. 514-316-8872
D. 800-910-1726 ext. 200
E. mnaser at vexxhost.com
W. http://vexxhost.com

More information about the OpenStack-dev mailing list