[Openstack-operators] Encrypted Cinder Volume Deployment
joe at topjian.net
Mon Jan 23 19:41:37 UTC 2017
I'm investigating the options for configuring Cinder with encrypted volumes
and have a few questions.
The Cinder environment is currently running Kilo which will be upgraded to
something between M-O later this year. The Kilo release supports the
fixed_key setting. I see fixed_key is still supported, but has been
abstracted into Castellan.
Question: If I configure Kilo with a fixed key, will existing volumes still
be able to work with that same fixed key in an M, N, O release?
Next, fixed_key is discouraged because of it being a single key for all
tenants. My understanding is that Barbican provides a way for each tenant
to generate their own key.
Question: If I deploy with fixed_key (either now or in a later release),
can I move from a master key to Barbican without bricking all existing
Are there any other issues to be aware of? I've done a bunch of Googling
and searching on bugs.launchpad.net and am pretty satisfied with the
current state of support. My intention is to provide users with simple
native encrypted volume support - not so much supporting uploaded volumes,
bootable volumes, etc.
But what I want to make sure of is that I'm not in a position where in
order to upgrade, a bunch of volumes become irrecoverable.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-operators