[Openstack] Encrypted virtual machines
Justin Santa Barbara
justin at fathomdb.com
Thu Apr 26 18:26:48 UTC 2012
On Thu, Apr 26, 2012 at 9:05 AM, Matt Joyce <matt at nycresistor.com> wrote:
> >From a security stand point I am curious what you see the benefit as?
I think that long-term there is the potential to have a cloud where you
don't have to trust the cloud provider (e.g. Intel Trusted Compute).
However, there are a huge number of steps that need to happen first, so I
don't know that encrypting the qcow disk image would get you very much
today.
However, you could encrypt your filesystem (inside the disk image), and
have it prompt for a password on boot. Then you could go in via VNC
(today) and unlock your disk image.
Your cloud provider can still grab memory etc. But I think that's the best
you can do today. One day we may be able to automate something similar,
yet still have it be secure.
Virtualized I/O performance is poor compared to CPU performance, so I guess
you wouldn't even notice the hit! But this is pure speculation,
A little plug - one of the pieces of the big picture is figuring out how to
store secrets; at the design summit I proposed storing them securely in
Keystone; I just wrote up the (first draft?) of the blueprint:
https://blueprints.launchpad.net/nova/+spec/secure-secret-storage
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120426/a6114fad/attachment.html>
More information about the Openstack
mailing list