<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div><span>Malini, I was happy to learn about a key manager discussion at the summit. Do you know what track this would be under? I can't decide if this should be in Keystone or maybe a whole new service. I like the idea of a whole new service myself because I think it helps to have the separation and prevent bloating of functionality for components. On the other hand, I probably don't want a dozen services.</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>I like the idea of the key-id. I think we may end up
using that idea. This will help us to support snapshot operations.</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>One item we have yet to tackle is cloning. I think there are a few options for this.</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>1) Don't support clone operations for encrypted volumes. This is easy to implement and prevents key
reuse, but it limits functionality.<br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>2) Support clone with same key. This should be easy to implement as well. We could use the metadata key-id and set it to the same value for the clone. The drawback to this is that the key has multiple uses, and it could be used to decrypt many different volumes. I don't like the idea of that. If the key is compromised then what do you do?</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>3) Support clone with different key. You could do this by decrypting the bytes from the original volume and encrypting them with a new key. If we are going to support cloning then I think I like this
approach the best. The drawback on this is time.</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>There are similar issues for snapshots, but I am not as opposed to option 2 for snapshots. Any thoughts on this?</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>-Nate<br></span></div><div><br></div> <div style="font-family: times new roman, new york, times,
serif; font-size: 12pt;"> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div dir="ltr"> <font face="Arial" size="2"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> "Bhandaru, Malini K" <malini.k.bhandaru@intel.com><br> <b><span style="font-weight: bold;">To:</span></b> OpenStack Development Mailing List <openstack-dev@lists.openstack.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Wednesday, February 13, 2013 4:32 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> RE: [openstack-dev] Volume Encryption<br> </font> </div> <br>
<div id="yiv1290123928">
<style><!--
#yiv1290123928
_filtered #yiv1290123928 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}
_filtered #yiv1290123928 {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;}
#yiv1290123928
#yiv1290123928 p.yiv1290123928MsoNormal, #yiv1290123928 li.yiv1290123928MsoNormal, #yiv1290123928 div.yiv1290123928MsoNormal
{margin:0in;margin-bottom:.0001pt;font-size:12.0pt;font-family:"Times New Roman", "serif";}
#yiv1290123928 a:link, #yiv1290123928 span.yiv1290123928MsoHyperlink
{color:blue;text-decoration:underline;}
#yiv1290123928 a:visited, #yiv1290123928 span.yiv1290123928MsoHyperlinkFollowed
{color:purple;text-decoration:underline;}
#yiv1290123928 p.yiv1290123928MsoPlainText, #yiv1290123928 li.yiv1290123928MsoPlainText, #yiv1290123928 div.yiv1290123928MsoPlainText
{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:"Calibri", "sans-serif";}
#yiv1290123928 span.yiv1290123928EmailStyle17
{font-family:"Calibri", "sans-serif";color:#1F497D;}
#yiv1290123928 span.yiv1290123928PlainTextChar
{font-family:"Calibri", "sans-serif";}
#yiv1290123928 .yiv1290123928MsoChpDefault
{font-family:"Calibri", "sans-serif";}
_filtered #yiv1290123928 {margin:1.0in 1.0in 1.0in 1.0in;}
#yiv1290123928 div.yiv1290123928WordSection1
{}
--></style>
<div>
<div class="yiv1290123928WordSection1">
<div class="yiv1290123928MsoPlainText">Oleg, just the thought I had earlier in the day!</div>
<div class="yiv1290123928MsoPlainText">Suggested a session for key manager at http://summit.openstack.org/.</div>
<div class="yiv1290123928MsoPlainText">To your list of blueprints, I added another one I found.</div>
<div class="yiv1290123928MsoPlainText"> </div>
<div class="yiv1290123928MsoPlainText">Nate, if your volume meta data included a key-id, it could pull the key-string from the key-manager (as yet a fuzzy) entity.</div>
<div class="yiv1290123928MsoPlainText"> </div>
<div class="yiv1290123928MsoPlainText">The keystone token could also capture preferences for encryption algorithm (for Cinder/Glance/Swift) and these default to</div>
<div class="yiv1290123928MsoPlainText">strong versions like Caitlin suggests.</div>
<div class="yiv1290123928MsoPlainText"> </div>
<div class="yiv1290123928MsoPlainText">Regards,</div>
<div class="yiv1290123928MsoPlainText">Malini</div>
<div class="yiv1290123928MsoPlainText"> </div>
<div class="yiv1290123928MsoNormal"><span style="font-size:11.0pt;color:#1F497D;"> </span><br> </div></div></div></div></div> </div> </div></body></html>