[openstack-dev] [nova] key management and Cinder volume encryption
John Griffith
john.griffith at solidfire.com
Wed Sep 4 01:44:41 UTC 2013
On Tue, Sep 3, 2013 at 7:27 PM, Bryan D. Payne <bdpayne at acm.org> wrote:
>
> > How can someone use your code without a key manager?****
>>>
>>> Some key management mechanism is required although it could be
>>> simplistic. For example, we’ve tested our code internally with an
>>> implementation of the key manager interface that returns a single, constant
>>> key.
>>>
>> That works for testing but doesn't address: "the current dearth of key
>> management within OpenStack does not preclude the use of our existing work
>> within a production environment"
>>
>
> My understanding here is that users are free to use any key management
> mechanism that they see fit. This can be a simple "return a static key"
> option. Or it could be using something more feature rich like Barbican.
> Or it could be something completely home grown that is suited to a
> particular OpenStack deployment.
>
> I don't understand why we are getting hung up on having a key manager as
> part of OpenStack in order to accept this work. Clearly there are other
> pieces of OpenStack that have external dependencies (message queues, to
> name one).
>
> I, for one, am looking forward to using this feature and would be very
> disappointed to see it pushed back for yet another release.
>
>
>
>> Is a feature complete if no one can use it?
>>
>> I am happy with a less then secure but fully functional key manager. But
>> with no key manager that can be used in a real deployment, what is the
>> value of including this code?
>>
>
> Of course people can use it. They just need to integrate with some
> solution of the deployment's choosing that provides key management
> capabilities. And, of course, if you choose to not use the volume
> encryption then you don't need to worry about it at all.
>
> I've watched this feature go through many, many iterations throughout both
> the Grizzly and Havana release cycles. The authors have been working hard
> to address everyone's concerns. In fact, they have navigated quite a
> gauntlet to get this far. And what they have now is an excellent, working
> solution. Let's accept this nice security enhancement and move forward.
>
> Cheers,
> -bryan
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> Do you have any docs or guides describing a reference implementation that
would be able to use this in the manner you describe?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130903/a069957c/attachment.html>
More information about the OpenStack-dev
mailing list