[openstack-dev] [cinder][glance]Upload encrypted volumes to images
Philipp Marek
philipp.marek at linbit.com
Mon Nov 23 06:05:05 UTC 2015
> About uploading encrypted volumes to image, there are three options:
> 1. Glance only keeps non-encrypted images. So when uploading encrypted
> volumes to image, cinder de-crypts the data and upload.
> 2. Glance maintain encrypted images. Cinder just upload the encrypted
> data to image.
> 3. Just prevent the function to upload encrypted volumes to images.
>
> Option 1 No changes needed in Glance. But it may be not safe. As we decrypt the data, and upload it to images.
> Option 2 This imports encryption to Glance which needs to manage the encryption metadata.
>
> Please add more if you have other suggestions. How do you think which one is preferred.
Well, IMO only option 1 is useful.
Option 2 means that the original volume, the image, and all derived volumes
will share the same key, right?
That's not good. (Originally: "unacceptable")
More information about the OpenStack-dev
mailing list