[openstack-dev] Volume Encryption

Bryan D. Payne bdpayne at acm.org
Wed Dec 26 18:26:33 UTC 2012


Some thoughts on the blueprint inline below...

> 1)      Does this look useful, and does the blueprint fit in with your
> OpenStack use cases?

Yes, I believe that this will be useful.  And it complements
http://www.mirantis.com/blog/openstack-swift-encryption-architecture/
nicely.

> 2)      Are there other layers of abstraction required besides the key
> manager (e.g. KMIP) and the block disk encryption (e.g. dmcrypt) interfaces?

I believe that this current layout makes sense.  Although I would
suggest syncing with the Nova team to ensure that your architecture
makes sense to them.

> 3)      Are there specific tests you’d recommend to augment the standard
> test suite?

I'm not as familiar with this suite, but I would encourage you to make
this very simple to deploy / test on devstack so that it can get used
by more devs and properly vetted.

> 4)      Do you have any feedback about the design?

I don't see any glaring problems with your design.  However, I would
like to see more details.  Specific questions that I have after
reading the BP include:

- How do you specify encryption algorithms / key length?
- How do you plan to handle IVs?
- Need a lot more details on the key management side.  In particular,
what would you implement here if the BP is accepted?  And how does the
key management link back to Keystone... or does it?  Are you linking
the keys to specific users?  Or is this just a system-level encryption
that has no direct linkage to users?
- How does this get turned on / off?  Is this something that is
configured at the time a cloud is setup?  Or is this something that a
user can optionally add when launching an instance / creating a
volume?  Or, something in between?
- How does this impact performance?  CPU overhead on node?  Network
overhead?  Dedup overhead?  Is any of this tunable or is it all or
nothing?
- Should probably touch base with Malini Bhandaru from Intel as he has
expressed much interest in using AES-NI for storage encryption...
might be opportunities to collaborate.

Cheers,
-bryan



More information about the OpenStack-dev mailing list