[openstack-dev] [nova][cinder][glance][osc][sdk] Image Encryption for OpenStack (proposal)

Markus Hentsch markus.hentsch at cloudandheat.com
Fri Sep 28 12:08:48 UTC 2018

Hello Julia,

we will begin formulating an individual spec for each project accordingly.

Regarding your question: as you already assumed correctly, the code
necessary to handle image decryption is driver specific in our current
design as it is very close to the point where the ephemeral storage disk
is initialized.

Our proposed goal of direct decryption streaming makes it hard to design
this in a generic fashion since we can't simply place the decrypted
image somewhere temporarily in a generic place and then take it as a
base for a driver specific next step, since that'd expose the image data.

Best regards,

Julia Kreger wrote:
> Greetings!
> I suspect the avenue of at least three different specs is likely going
> to be the best path forward and likely what will be required for each
> project to fully understand how/what/why. From my point of view, I'm
> quite interested in this from a Nova point of view because that is the
> initial user interaction point for majority of activities. I'm also
> wondering if this is virt driver specific, or if it can be applied to
> multiple virt drivers in the nova tree, since each virt driver has
> varying constraints. So maybe the best path forward is something nova
> centric to start?
> -Julia
> On Thu, Sep 27, 2018 at 10:36 AM Markus Hentsch
> <markus.hentsch at secustack.com> wrote:
>> Dear OpenStack developers,
>> we would like to propose the introduction of an encrypted image format
>> in OpenStack. We already created a basic implementation involving Nova,
>> Cinder, OSC and Glance, which we'd like to contribute.
>> We originally created a full spec document but since the official
>> cross-project contribution workflow in OpenStack is a thing of the past,
>> we have no single repository to upload it to. Thus, the Glance team
>> advised us to post this on the mailing list [1].
>> Ironically, Glance is the least affected project since the image
>> transformation processes affected are taking place elsewhere (Nova and
>> Cinder mostly).
>> Below you'll find the most important parts of our spec that describe our
>> proposal - which our current implementation is based on. We'd love to
>> hear your feedback on the topic and would like to encourage all affected
>> projects to join the discussion.
>> Subsequently, we'd like to receive further instructions on how we may
>> contribute to all of the affected projects in the most effective and
>> collaborative way possible. The Glance team suggested starting with a
>> complete spec in the glance-specs repository, followed by individual
>> specs/blueprints for the remaining projects [1]. Would that be alright
>> for the other teams?
>> [1]
>> http://eavesdrop.openstack.org/meetings/glance/2018/glance.2018-09-27-14.00.log.html
>> Best regards,
>> Markus Hentsch
> [trim]
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

*Markus Hentsch*
Head of Cloud Innovation


*CLOUD & HEAT Technologies GmbH*
Königsbrücker Str. 96 (Halle 15) | 01099 Dresden
Tel: +49 351 479 3670 - 100
Fax: +49 351 479 3670 - 110
E-Mail: markus.hentsch at cloudandheat.com
<mailto:markus.hentsch at cloudandheat.com>
Web: https://www.cloudandheat.com

Handelsregister: Amtsgericht Dresden
Registernummer: HRB 30549
USt.-Ident.-Nr.: DE281093504
Geschäftsführer: Nicolas Röhrs

More information about the OpenStack-dev mailing list