[Openstack-operators] Encrypted Cinder Volume Deployment

Joe Topjian joe at topjian.net
Sun Feb 5 10:10:26 UTC 2017


Just an update on this:

I've confirmed that specifying a fixed_key in both Cinder and Nova works
quite easily. However, if the key is changed, volumes created with the
original fixed_key are irrecoverable, and there doesn't seem to be a way to
safely rotate fixed keys...

I spent some time trying to set up Barbican in a Packstack-deployed AIO
environment, but was unable to do so, so I couldn't test any other form of
encrypted block storage volumes. Because of time constraints, I'll have to
table this for another time.

If anyone comes across this in the mailing list archives and has an update,
do post :)

Thanks,
Joe

On Mon, Jan 23, 2017 at 8:58 PM, Joe Topjian <joe at topjian.net> wrote:

> Hi Kris,
>
> I came across that as well and I believe it has been fixed and ensures
> existing volumes are accessible:
>
> https://github.com/openstack/nova/blob/8c3f775743914fe083371a31433ef5
> 563015b029/releasenotes/notes/bug-1633518-0646722faac1a4b9.yaml
>
> Definitely worthwhile to bring up :)
>
> Joe
>
> On Mon, Jan 23, 2017 at 12:53 PM, Kris G. Lindgren <klindgren at godaddy.com>
> wrote:
>
>> Slightly off topic,
>>
>>
>>
>> But I remember a discussion involving encrypted volumes and nova(?) and
>> there was an issue where an issue/bug where nova was using the wrong key –
>> like it got hashed wrong and was using the badly hashed key/password vs’s
>> what was configured.
>>
>>
>>
>>
>>
>> ___________________________________________________________________
>>
>> Kris Lindgren
>>
>> Senior Linux Systems Engineer
>>
>> GoDaddy
>>
>>
>>
>> *From: *Joe Topjian <joe at topjian.net>
>> *Date: *Monday, January 23, 2017 at 12:41 PM
>> *To: *"openstack-operators at lists.openstack.org" <
>> openstack-operators at lists.openstack.org>
>> *Subject: *[Openstack-operators] Encrypted Cinder Volume Deployment
>>
>>
>>
>> Hi all,
>>
>>
>>
>> I'm investigating the options for configuring Cinder with encrypted
>> volumes and have a few questions.
>>
>>
>>
>> The Cinder environment is currently running Kilo which will be upgraded
>> to something between M-O later this year. The Kilo release supports the
>> fixed_key setting. I see fixed_key is still supported, but has been
>> abstracted into Castellan.
>>
>>
>>
>> Question: If I configure Kilo with a fixed key, will existing volumes
>> still be able to work with that same fixed key in an M, N, O release?
>>
>>
>>
>> Next, fixed_key is discouraged because of it being a single key for all
>> tenants. My understanding is that Barbican provides a way for each tenant
>> to generate their own key.
>>
>>
>>
>> Question: If I deploy with fixed_key (either now or in a later release),
>> can I move from a master key to Barbican without bricking all existing
>> volumes?
>>
>>
>>
>> Are there any other issues to be aware of? I've done a bunch of Googling
>> and searching on bugs.launchpad.net and am pretty satisfied with the
>> current state of support. My intention is to provide users with simple
>> native encrypted volume support - not so much supporting uploaded volumes,
>> bootable volumes, etc.
>>
>>
>>
>> But what I want to make sure of is that I'm not in a position where in
>> order to upgrade, a bunch of volumes become irrecoverable.
>>
>>
>>
>> Thanks,
>>
>> Joe
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20170205/fb17caef/attachment.html>


More information about the OpenStack-operators mailing list