[openstack-dev] [Nova] FFE Request: Encrypt Cinder volumes

Jarret Raim jarret.raim at RACKSPACE.COM
Mon Sep 9 19:20:01 UTC 2013



On 9/9/13 9:25 AM, "Russell Bryant" <rbryant at redhat.com> wrote:

>On 09/09/2013 04:57 AM, Thierry Carrez wrote:
>> Russell Bryant wrote:
>>> I would be good with the exception for this, assuming that:
>>>
>>> 1) Those from nova-core that have reviewed the code are still happy
>>>with
>>> it and would do a final review to get it merged.
>>>
>>> 2) There is general consensus that the simple config based key manager
>>> (single key) does provide some amount of useful security.  I believe it
>>> does, just want to make sure we're in agreement on it.  Obviously we
>>> want to improve this in the future.
>> 
>> +1
>> 
>> I think this is sufficiently self-contained that the regression risk is
>> extremely limited. It's also nice to have a significant hardening
>> improvement in the Havana featurelist. I would just prefer if it landed
>> ASAP since I would like as much usage around it as we can get, to make
>> sure the previous audits didn't miss an obvious bug/security hole in it.
>> 
>
>The response seems positive from everyone so far.  I think we should
>approve this and try to get it merged ASAP (absolutely this week, and
>hopefully in the first half of the week).
>
>ACK on the FFE from me.


Me as well for what it's worth. While I understand the concerns around key
management, Barbican will have our 1.0 release for Havana and it should be
relatively easy to integrate the proposed patches with Barbican at that
time. Even so, the current version does offer some security and gives us
the ability to have the code tested before we introduce another moving
part.


Thanks,
Jarret Raim




More information about the OpenStack-dev mailing list