<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.im
{mso-style-name:im;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:632754657;
mso-list-type:hybrid;
mso-list-template-ids:-1892795020 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hi all,
<o:p></o:p></span></a></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Let me summarize the most important items that need attach/detach encryptors in Cinder:<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Create an encrypted volume from images.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Migrate an unencrypted volume to encrypted.<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Except above, we may need to upload encrypted volume to Glance. If needs to change encryption keys or upload unencrypted images it needs encryptors.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">If we can’t provide above functions, I think it will prevent the popular of Cinder encryption usage.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Best wishes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Lisa<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Li, Xiaoyan [mailto:xiaoyan.li@intel.com]
<br>
<b>Sent:</b> Monday, November 23, 2015 8:57 PM<br>
<b>To:</b> OpenStack Development Mailing List (not for usage questions); Daniel P. Berrange<br>
<b>Subject:</b> Re: [openstack-dev] [cinder][nova]Move encryptors to os-brick<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Except creating encrypted volume from images, uploading encrypted volumes to image, as Duncan said there is desire to migrate volumes between encrypted and unencrypted
type. <o:p></o:p></span></p>
<p class="MsoNormal"><a href="https://review.openstack.org/#/c/248593/"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">https://review.openstack.org/#/c/248593/</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">And key magagment codes are duplicated in Cinder and Nova:
<o:p></o:p></span></p>
<p class="MsoNormal"><a href="https://github.com/openstack/cinder/tree/master/cinder/keymgr"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">https://github.com/openstack/cinder/tree/master/cinder/keymgr</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><a href="https://github.com/openstack/nova/tree/master/nova/keymgr"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">https://github.com/openstack/nova/tree/master/nova/keymgr</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Best wishes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Lisa<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Duncan Thomas [</span><a href="mailto:duncan.thomas@gmail.com"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">mailto:duncan.thomas@gmail.com</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">]
<br>
<b>Sent:</b> Monday, November 23, 2015 8:29 PM<br>
<b>To:</b> Daniel P. Berrange; OpenStack Development Mailing List (not for usage questions)<br>
<b>Subject:</b> Re: [openstack-dev] [cinder][nova]Move encryptors to os-brick<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi Daniel<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Much of this got discussed before.
<br>
<br>
Encrypted images uploaded to glance aren't shareable, and there is definitely a desire by many users to keep the usual glance functionality while having encryption at rest in cinder for e.g. regulatory purposes.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">There is also some desire to be able to migrate unencrypted volume types to encrypted types inside cinder, which would require cinder to be able to create an encrypted volume in a similar way to creating from
an image.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Managing access to the key data is, as far as I'm aware, the job of e.g. barbican/castellan, not nova per se. There are several usecases for encryption, and several of the less paranoid make good sense without requiring nova to be the only
thing with access to the key material.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 23 November 2015 at 13:21, Daniel P. Berrange <<a href="mailto:berrange@redhat.com" target="_blank">berrange@redhat.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:9.6pt">
On Fri, Nov 20, 2015 at 11:34:29AM -0800, Walter A. Boring IV wrote:<br>
> On 11/20/2015 10:19 AM, Daniel P. Berrange wrote:<br>
> >On Fri, Nov 20, 2015 at 02:45:15PM +0200, Duncan Thomas wrote:<br>
> >>Brick does not have to take over the decisions in order to be a useful<br>
> >>repository for the code. The motivation for this work is to avoid having<br>
> >>the dm setup code copied wholesale into cinder, where it becomes difficult<br>
> >>to keep in sync with the code in nova.<br>
> >><br>
> >>Cinder needs a copy of this code since it is on the data path for certain<br>
> >>operations (create from image, copy to image, backup/restore, migrate).<br>
> >A core goal of using volume encryption in Nova to provide protection for<br>
> >tenant data, from a malicious storage service. ie if the decryption key<br>
> >is only ever used by Nova on the compute node, then cinder only ever sees<br>
> >ciphertext, never plaintext. Thus if cinder is compromised, then it can<br>
> >not compromise any data stored in any encrypted volumes.<br>
> ><br>
> >If cinder is looking to get access to the dm-seutp code, this seems to<br>
> >imply that cinder will be getting access to the plaintext data, which<br>
> >feels to me like it de-values the volume encryption feature somewhat.<br>
> ><br>
> >I'm fuzzy on the details of just what code paths cinder needs to be<br>
> >able to convert from plaintext to ciphertext or vica-verca, but in<br>
> >general I think it is desirable if we can avoid any such operation<br>
> >in cinder, and keep it so that only Nova compute nodes ever see the<br>
> >decrypted data.<br>
> Being able to limit the number of points where an encrypted volume can be<br>
> used unencrypted<br>
> is obviously a good goal.<br>
> Unfortunately, it's entirely unrealistic to expect Cinder to never be able<br>
> to have access that access.<br>
><br>
> Cinder currently needs access to write data to volumes that are encrypted<br>
> for several operations.<br>
><br>
> 1) copy volume to image<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:9.6pt">
If a volume is encrypted and it is being copied to an image, IMHO we<br>
should not aim to decrypt it. We should copy the data as is and mark<br>
the image as encrypted in glance, and then use it as is next time the<br>
image is needed.<br>
<br>
FYI, Nova is already aiming to consider both the glance data storage<br>
and the glance service as a whole, as untrustworthy. The first step<br>
in this is using cryptographic signatures to detect unauthorized<br>
image data modification by a compromised glance. Encryption will be<br>
a later step in the process.<br>
<br>
> 2) copy image to volume<br>
<br>
This is semi-plausible as a place where Cinder needs to go from<br>
unencrypted image data to encrypted volume data, when a user is<br>
creating a volume from an image ahead of time, distinct from any<br>
VM boot attempt. In such a case it is desirable that Cinder not<br>
be able to request any existing volume keys from the key server,<br>
merely have the ability to upload new keys and throw away its<br>
local copy thereafter.<br>
<br>
> 3) backup<br>
<br>
Cinder should really not try to decrypt volumes when backing them<br>
up. If it conversely wants to encrypt volumes during backup, it<br>
can do so with separate backup keys, distinct from those used for<br>
primary volume encryption for use at runtime.<br>
<br>
<br>
<span class="im">Regards,</span><br>
<span class="im">Daniel</span><br>
<span class="im">--</span><br>
<span class="im">|: </span><a href="http://berrange.com" target="_blank">http://berrange.com</a><span class="im"> -o-
</span><a href="http://www.flickr.com/photos/dberrange/" target="_blank">http://www.flickr.com/photos/dberrange/</a><span class="im"> :|</span><br>
<span class="im">|: </span><a href="http://libvirt.org" target="_blank">http://libvirt.org</a><span class="im"> -o- </span><a href="http://virt-manager.org" target="_blank">http://virt-manager.org</a><span class="im"> :|</span><br>
<span class="im">|: </span><a href="http://autobuild.org" target="_blank">http://autobuild.org</a><span class="im"> -o- </span><a href="http://search.cpan.org/~danberr/" target="_blank">http://search.cpan.org/~danberr/</a><span class="im"> :|</span><br>
<span class="im">|: </span><a href="http://entangle-photo.org" target="_blank">http://entangle-photo.org</a><span class="im"> -o- </span><a href="http://live.gnome.org/gtk-vnc" target="_blank">http://live.gnome.org/gtk-vnc</a><span class="im"> :|</span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:5.0pt;margin-left:9.6pt">
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<br>
-- <o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">-- <br>
Duncan Thomas<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>