[openstack-dev] [FFE] [nova] Barbican key manager wrapper

Sean Dague sean at dague.net
Fri Sep 5 12:11:32 UTC 2014


On 09/05/2014 07:51 AM, Daniel P. Berrange wrote:
> On Thu, Sep 04, 2014 at 05:19:45PM +0000, Coffman, Joel M. wrote:
>> A major concern about several encryption features within Nova [1, 2] has been the lack of secure key management. To address this concern, work has been underway to integrate these features with Barbican [3], which can be used to manage encryption keys across OpenStack.
>>
>> We request a feature freeze exception be granted to merge this code [3], which is really a shim between the existing key manager interface in Nova and python-barbicanclient, into Nova [4]. The acceptance of this feature will improve the security of cloud users and operators who use the Cinder volume encryption feature [1], which is currently limited to a single, static encryption key for volumes. Cinder has already merged a similar feature [5] following the review of several patch revisions; not accepting the feature in Nova creates a disparity with Cinder in regards to the management of encryption keys.
>>
>> As this is an optional feature that introduces very few changes to pre-existing code, the risk of disruption to existing deployments as well as the risk of regression is minimal. The only objection that has very recently been voiced is the implicit dependency on the Barbican service, which does not yet have experimental jobs in Tempest. Other core reviewers, though, believe that the existing unit tests included with the change are sufficient.
>>
>> Thank you for taking the time to consider this request.
> 
> I sponsor it as it is effectively part of the LVM encryption blueprint
> which I've already sponsor. So we should consider FFE for both those
> blueprints together, rather than in isolation.

Agreed, I kind of assumed we were thinking about them as one thing.

	-Sean

-- 
Sean Dague
http://dague.net



More information about the OpenStack-dev mailing list