[openstack-dev] encrypted volume snapshot question

Nate Reller rellerreller at yahoo.com
Wed Mar 27 15:47:45 UTC 2013


I think a light weight clone operation like option (2) is possible. I could be
wrong, but I feel confident that it should be ok.

However, I feel like option (2) does introduce some security risks. This is why
I like option (3).  If we do a clone with the same key then the original and
clone will use the same key going forward.  The content of the disks will 
change over time, but the key used to provide the encryption will be the same.

My concern is that if we use option (2) then there will be many clones using
the same key. Consider a user that creates a new encrypted volume. The user 
then clones the volume and makes it available for other members to use. Each 
member that uses a cloned volume will have an encrypted drive, but they will 
all be using the same key. 

If an attacker can find the key then they can read the data for all of the
volumes. It also makes administration much slower and more difficult in the
instance of a key compromise because now all of the drives must be rekeyed
instead of just one. 

> My concern is with option (2) above, given Nate’s description of a logical
> block device, so the sector numbers would be 0, 1, 2 in the copy and original.
> Say one uses an encryption scheme that builds in a tweak using the sector
> address, and for argument’s sake we have a single physical device and on that 
> we save the original and a snapshot of the same. Would the physical disk have a
> string of bits that looks identical (because the sector numbers and hence tweak
> are the same, and the encryption key is the same). Meta data could look 
> different by making a copy of the key and saving it against a new key-id.
> 
> The above is ideal for de-duplication efforts.
> But would it introduce a security vulnerability?

-Nate



More information about the OpenStack-dev mailing list