Open Stack

Gregory Holt <z-launchpad at brim.net> wrote on 20/11/2013 05:46:41 PM:

> From: Gregory Holt <z-launchpad at brim.net>
> To: "OpenStack Development Mailing List (not for usage questions)" 
> <openstack-dev at lists.openstack.org>, 
> Date: 20/11/2013 05:49 PM
> Subject: Re: [openstack-dev] [Swift]  Server Side Encryption
> 
> On Nov 20, 2013, at 5:26 AM, David Hadas <DAVIDH at il.ibm.com> wrote:
> 
> > 
> > Hi all,
> > 
> > We created a wiki page discussing the addition of software side 
encryption
> > to Swift:
> > "The general scheme is to create a swift proxy middleware that will 
encrypt
> > and sign the object data during PUT and check the signature + decrypt 
it
> > during GET. The target is to create two domains - the user domain 
between
> > the client and the middleware where the data is decrypted and the 
system
> > domain between the middleware and the data at rest (on the device) 
where
> > the data is encrypted.
> > Design goals include: (1) Extend swift as necessary but without 
changing
> > existing swift behaviors and APIs; (2) Support encrypting data 
incoming
> > from unchanged clients"
> > 
> > See:  https://wiki.openstack.org/wiki/Swift/server-side-enc
> > We would like to invite feedback.
> 
> I'll bite, though I'm fairly sure I already know the response. Why 
> all this complexity for what amounts to just encrypting data on disk
> in case the disk is stolen, lost, or reused? That's the only 
> protection I see this providing and it would seem it could be 
> achieved with a single cluster key stored only on the Swift proxy 
> servers. All the rest seems like gyrations that provide no true 
> additional benefit. If a client actually cares about having their 
> data encrypted, they should encrypt it themselves and only they 
> would keep the key.
> 

A couple of reasons: 
-- improve re-keying by having a hierarchy 
-- finer grain control on encryption, e.g., per account (the objective is 
not just to protect against disks walking away). 
No argument, best security is client side encryption.  This said, there 
seems to be a need for tenant-controlled, server side encryption, based 
both upon what is offered by other services and discussions I have had 
with users.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131122/27882540/attachment.html>