[openstack-dev] [cinder][nova]Move encryptors to os-brick

Duncan Thomas duncan.thomas at gmail.com
Mon Nov 30 14:13:18 UTC 2015


On 30 November 2015 at 16:04, Coffman, Joel M. <Joel.Coffman at jhuapl.edu>
wrote:

> On 11/25/15, 11:33 AM, "Ben Swartzlander" <ben at swartzlander.org> wrote:
>
> On 11/24/2015 03:27 PM, Nathan Reller wrote:
>
> Trying to design a system where we expect nova to do data encryption but
> not cinder will not work in the long run. The eventual result will be
> that nova will have to take on most of the functionality of cinder and
> we'll be back to the nova-volume days.
>
> Could you explain further what you mean by "nova will have to take on most
> of the functionality of cinder"? In the current design, Nova is still
> passing data blocks to Cinder for storage – they're just encrypted instead
> of plaintext. That doesn't seem to subvert the functionality of Cinder or
> reimplement it.
>

The functionality of cinder is more than blindly storing blocks - in
particular it has create-from/upload-to image, backup, and retype, all of
which do some degree of manipulation of the data and/or volume encryption
metadata.

We are suffering from somewhat incompatible requirements with encryption
between those who want fully functional cinder and encryption on disk (the
common case I think), and those who have enhanced security requirements.

-- 
Duncan Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151130/135b1ef2/attachment.html>


More information about the OpenStack-dev mailing list