[openstack-dev] [cinder][nova]Move encryptors to os-brick

Duncan Thomas duncan.thomas at gmail.com
Thu Dec 3 12:40:46 UTC 2015


On 3 December 2015 at 11:14, Li, Xiaoyan <xiaoyan.li at intel.com> wrote:

> Just to clear the data operations cinder needs to touch plaintext data are:
>  1) Create volume from glance image
>  2) Create glance image from volume
>  3) Retype encrypted volumes. That is to change a volume from unencrypted
> to encrypted, or vice visa.
>
> Backup/Restore doesn't need to decrypt data.
>

Backup / restore doesn't currently decrypt the data. There are some people
commenting that it is not useful for DR work to have a backup that requires
keys from a key service that is itself not backed up, so there may be some
proposal incoming about not encrypting backups, or else giving them their
own key rather than require access to the original volume key during
restore - needing that access also makes things like re-keying the original
volume difficult/impossible.

Again, we have multiple use-cases for encryption, and they are not all
going to be solved by solved by draconian dictates that there shall only be
one way of doing things.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151203/c64593b9/attachment.html>


More information about the OpenStack-dev mailing list