[cinder] experiences with S3 cinder-backup driver // client-side encryption feature
Hello openstack-discuss and cinder-backup users! There is an S3 driver available for cinder-backup since the Wallaby release already, see https://docs.openstack.org/releasenotes/cinder/wallaby.html#relnotes-18-0-0-.... 1) I was wondering if anybody already used that on a somewhat larger scale and what you experiences are about performance, stability and compatibility? 2) What object storage implementation or external service were / are you using? 3) While there are options like "backup_s3_sse_customer_algorithm" and "backup_s3_sse_customer_key" make use of server-side-encryption (SSE), there seems to be no way to encrypt the data before actually sending it to the remote S3 (read: client-side encryption). Since the boto3 Python SDK by AWS is used, which does not actually implement CSE, like other language SDKs do (see my issue: https://github.com/boto/boto3/issues/3395), it seems obvious why that is not a totally low-hanging fruit. But there are ways to add this, check out the references to e.g. https://github.com/StephenSorriaux/s3-encryption in the mentioned boto3 issue. Encrypting data before sending it off to a potentially externally operated service seems like a nice feature. Even a single encryption key would then protect that data from having to trust a 3rd party. I know encrypted cinder volumes would also work, but they are not as commonly used. * Is CSE something that others would also like to see for the S3 driver? * Cinder devs, would this maybe be worth a spec for the next cycle? Regards Christian
participants (1)
-
Christian Rohmann