[Openstack-operators] Encrypted Cinder Volume Deployment

Kris G. Lindgren klindgren at godaddy.com
Mon Jan 23 19:53:33 UTC 2017


Slightly off topic,

But I remember a discussion involving encrypted volumes and nova(?) and there was an issue where an issue/bug where nova was using the wrong key – like it got hashed wrong and was using the badly hashed key/password vs’s what was configured.


___________________________________________________________________
Kris Lindgren
Senior Linux Systems Engineer
GoDaddy

From: Joe Topjian <joe at topjian.net>
Date: Monday, January 23, 2017 at 12:41 PM
To: "openstack-operators at lists.openstack.org" <openstack-operators at lists.openstack.org>
Subject: [Openstack-operators] Encrypted Cinder Volume Deployment

Hi all,

I'm investigating the options for configuring Cinder with encrypted volumes and have a few questions.

The Cinder environment is currently running Kilo which will be upgraded to something between M-O later this year. The Kilo release supports the fixed_key setting. I see fixed_key is still supported, but has been abstracted into Castellan.

Question: If I configure Kilo with a fixed key, will existing volumes still be able to work with that same fixed key in an M, N, O release?

Next, fixed_key is discouraged because of it being a single key for all tenants. My understanding is that Barbican provides a way for each tenant to generate their own key.

Question: If I deploy with fixed_key (either now or in a later release), can I move from a master key to Barbican without bricking all existing volumes?

Are there any other issues to be aware of? I've done a bunch of Googling and searching on bugs.launchpad.net<http://bugs.launchpad.net> and am pretty satisfied with the current state of support. My intention is to provide users with simple native encrypted volume support - not so much supporting uploaded volumes, bootable volumes, etc.

But what I want to make sure of is that I'm not in a position where in order to upgrade, a bunch of volumes become irrecoverable.

Thanks,
Joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20170123/1e40ba47/attachment.html>


More information about the OpenStack-operators mailing list