[Openstack-operators] [nova][cinder] Deprecating ConfKeyManager (fixed-key key manager)

Farr, Kaitlin M. Kaitlin.Farr at jhuapl.edu
Wed Dec 30 20:39:37 UTC 2015


Please reply or send me an email if you are using the ConfKeyManager
(fixed-key key manager) in deployment for volume encryption or
ephemeral storage encryption. You can check this by looking at the
[keymgr] section, api_class entry of nova.conf or cinder.conf. The
ConfKeyManager was only intended for testing and I am working on
deprecating it. I would like to gauge the number of people using
that back end, because it may affect the deprecation strategy.

This is the start of the effort to replace the duplicated key manager
code with Castellan [1], a key manager interface library that allows
the user to swap out different back ends, such as Barbican. While
Castellan is based on the key managers built into Nova and Cinder, it
does not have the fixed-key back end. That back end is insecure. A single
key is used for all volumes. If the key is compromised, all of the
encrypted data is easily decrypted. See Joel Coffman's comments on the
Nova spec [2]. Deprecating the fixed-key key manager would need to
occur before Castellan is integrated.

Again, please let me know if you use the ConfKeyManager and you
actively use the volume encryption and encrypted cinder volume features
in a deployment

Other feedback is also welcome.

I created a separate thread on the openstack-dev mailing list, please reply
there with comments or questions.


Kaitlin Farr

1. Castellan source code. https://github.com/openstack/castellan
2. Castellan integration Nova spec. https://review.openstack.org/#/c/247561/
3. Castellan integration Cinder spec. https://review.openstack.org/#/c/247577/

More information about the OpenStack-operators mailing list