[openstack-dev] Volume Encryption
Paul Sarin-Pollet
psarpol at gmx.com
Tue Feb 19 11:45:07 UTC 2013
Concerning the data encryption, I have several point I'd like to talk about with the community :
- Data encryption can be made at several places in an openstack deployment :
- at the different level in the openstack software (NOVA, CINDER, SWIFT)
- directly in the host operating system, at the boot time
- other (hardware level, …)
- An advantage of an openstack encryption is that it can be a customer option
- An advantage of an openstack encryption is that tou can get a new key for each new cinder lvm volume. But is it really an advantage for data protection ?
- The advantage of a host operating system encryption is that the service provider can protect their own databases, not only the customer's
A centralized key manager should be a good solution for an openstack and an operating system level encryption. It should have :
- a specific API
- a keystone compatible authentication module
- a key storage plugin
- a database implementation of the plugin
- a kmip implementation of the plugin
- a client usable by openstack modules and directly by operating system start script
Paul
----- Original Message -----
From: Clark, Robert Graham
Sent: 02/16/13 11:00 AM
To: OpenStack List
Subject: Re: [openstack-dev] Volume Encryption
I can't wait to talk about this at the summit. One of the primary concerns I have is around key management, the way authorisation happens here, recommendations about key-server anti-afinity with nodes/chassis containing encrypted data etc. Should make for a fun discussion.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130219/3176e472/attachment.html>
More information about the OpenStack-dev
mailing list