[openstack-dev] [nova][cinder][glance][osc][sdk] Image Encryption for OpenStack (proposal)

Matthew Oliver matt at oliver.net.au
Mon Oct 15 21:59:46 UTC 2018


Just an FYI, it doesn't solved cached images, but Swift does support at
rest encryption, so if using the Swift store backend you can at least know
your image on disk on the storage nodes would be safe.
We still need to add more functionality like key rotation, but we do
integrate with kmip sevices or barbican.

Still could be a good idea for other projects. I wasn't the one who wrote
the Swift at-rest encryption but happy to, probably badly, help answer
questions cause we might have some interesting lessons learned.

Matt

On Tue, Oct 16, 2018 at 12:36 AM Josephine Seifert <
josephine.seifert at secustack.com> wrote:

> Hello OpenStack developers,
>
> we have made an etherpad as there were a few questions concerning
> the library we want to use for the encryption and decryption method:
>
>
> https://etherpad.openstack.org/p/library-for-image-encryption-and-decryption
>
>
> Am 11.10.2018 um 15:10 schrieb Josephine Seifert:
> > Am 08.10.2018 um 17:16 schrieb Markus Hentsch:
> >> Dear OpenStack developers,
> >>
> >> as you suggested, we have written individual specs for Nova [1] and
> >> Cinder [2] so far and will write another spec for Glance soon. We'd
> >> appreciate any feedback and reviews on the specs :)
> >>
> >> Thank you in advance,
> >> Markus Hentsch
> >>
> >> [1] https://review.openstack.org/#/c/608696/
> >> [2] https://review.openstack.org/#/c/608663/
> >>
> >>
> >>
> __________________________________________________________________________
> >> OpenStack Development Mailing List (not for usage questions)
> >> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > The spec for Glance is also on gerrit now:
> >
> > https://review.openstack.org/#/c/609667/
> >
> >
> __________________________________________________________________________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20181016/ff3366c7/attachment.html>


More information about the OpenStack-dev mailing list