<html>

  <head>

    <meta content="text/html; charset=ISO-8859-1"

      http-equiv="Content-Type">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <div class="moz-cite-prefix">On 2/13/2013 12:51 PM, Oleg Gelbukh

      wrote:<br>

    </div>

    <blockquote

cite="mid:CAFkLEwqE1mAdbCvrK7sCOJW0qb1Kr9q-CGjNxiHUJsz8DCM+rw@mail.gmail.com"

      type="cite">

      <meta http-equiv="Content-Type" content="text/html;

        charset=ISO-8859-1">

      <div dir="ltr">Hello,

        <div><br>

        </div>

        <div>I believe that this discussion need actually be split into

          two parts: encryption algorithms and specific tools, and key

          management.</div>

        <div><br>

        </div>

        <div>The implementation of actual encryption are specific for

          every project. We identified a number of blueprints which

          utilize encryption in one way or another:</div>

        <div>

          <div style="font-family:arial,sans-serif;font-size:13px"><a

              moz-do-not-send="true"

href="https://blueprints.launchpad.net/keystone/+spec/access-key-authentication"

              target="_blank">https://blueprints.launchpad.net/keystone/+spec/access-key-authentication</a><br>

          </div>

          <div style="font-family:arial,sans-serif;font-size:13px"><a

              moz-do-not-send="true"

href="https://blueprints.launchpad.net/nova/+spec/encrypt-ephemeral-volumes"

              target="_blank">https://blueprints.launchpad.net/nova/+spec/encrypt-ephemeral-volumes</a><br>

          </div>

          <div style="font-family:arial,sans-serif;font-size:13px"><a

              moz-do-not-send="true"

              href="https://blueprints.launchpad.net/swift/+spec/encrypted-objects"

              target="_blank">https://blueprints.launchpad.net/swift/+spec/encrypted-objects</a><br>

          </div>

          <div style="font-family:arial,sans-serif;font-size:13px"><a

              moz-do-not-send="true"

href="https://blueprints.launchpad.net/nova/+spec/encrypt-cinder-volumes"

              target="_blank">https://blueprints.launchpad.net/nova/+spec/encrypt-cinder-volumes</a><br>

          </div>

        </div>

        <div><br>

        </div>

        <div>All these blueprints involve some key management, and it

          seems reasonable to implement it as a shared component. Where

          does it belongs is a discussion topic. Our understanding is

          that Keystone API could be extended with new resource keys/ to

          proxy keys operations with pluggable back-end drivers (much

          like Identity or Catalog).</div>

        <div><br>

        </div>

        <div style="">Please, tell me if this sounds reasonable to you.

          Do you think this kind of discussion should take place at

          Summit?</div>

        <div><br>

        </div>

        <div style="">--<br>

          Best regards,</div>

        <div style="">Oleg</div>

      </div>

      <div class="gmail_extra"><br>

      </div>

    </blockquote>

    Agreed separation of key management from specific encryption

    algorithms, or how encryption is actually done, is vital.<br>

    <br>

    We also want to enable use of common encryption/decryption solutions

    underlying all OpenStack projects.<br>

    Vendors should be able to implement this once, and not be forced to

    support Cinder in 2Q14 while waiting<br>

    for 4Q14 for Swift. If someone wants to support just Cinder or just

    Swift, that's fine. But you shouldn't support<br>

    both but only support encryption for one.<br>

    <br>

  </body>

</html>