[openstack-dev] [nova] key management and Cinder volume encryption

Bryan D. Payne bdpayne at acm.org
Wed Sep 4 01:27:36 UTC 2013


>  > How can someone use your code without a key manager?****
>>
>> Some key management mechanism is required although it could be
>> simplistic. For example, we’ve tested our code internally with an
>> implementation of the key manager interface that returns a single, constant
>> key.
>>
> That works for testing but doesn't address: "the current dearth of key
> management within OpenStack does not preclude the use of our existing work
> within a production environment"
>

My understanding here is that users are free to use any key management
mechanism that they see fit.  This can be a simple "return a static key"
option.  Or it could be using something more feature rich like Barbican.
 Or it could be something completely home grown that is suited to a
particular OpenStack deployment.

I don't understand why we are getting hung up on having a key manager as
part of OpenStack in order to accept this work.  Clearly there are other
pieces of OpenStack that have external dependencies (message queues, to
name one).

I, for one, am looking forward to using this feature and would be very
disappointed to see it pushed back for yet another release.



>  Is a feature complete if no one can use it?
>
> I am happy with a less then secure but fully functional key manager.  But
> with no key manager that can be used in a real deployment, what is the
> value of including this code?
>

Of course people can use it.  They just need to integrate with some
solution of the deployment's choosing that provides key management
capabilities.  And, of course, if you choose to not use the volume
encryption then you don't need to worry about it at all.

I've watched this feature go through many, many iterations throughout both
the Grizzly and Havana release cycles.  The authors have been working hard
to address everyone's concerns.  In fact, they have navigated quite a
gauntlet to get this far.  And what they have now is an excellent, working
solution.  Let's accept this nice security enhancement and move forward.

Cheers,
-bryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130903/9a0ec67f/attachment.html>


More information about the OpenStack-dev mailing list