Encryption of attached Cinder volumes
The Cinder volumes for a virtual machine (VM) are currently not being encrypted. This makes the platforms hosting volumes for VMs high value targets because an attacker can break into a volume-hosting platform and read the data for many different VMs. Another issue is that the physical storage medium could be stolen, remounted, and accessed from a different machine. This blueprint addresses both of these vulnerabilities
The aim of this blueprint is to provide encryption of the VM's data before it is written to disk. The idea is similar to how self-encrypting drives work. Our goal is to present the VM a normal block storage device, but we will encrypt the bytes in the virtualization host before writing them to the disk. For more information, see the referenced specification.
Blueprint information
- Status:
- Complete
- Approver:
- Russell Bryant
- Priority:
- High
- Drafter:
- APL Development team for OpenStack
- Direction:
- Approved
- Assignee:
- APL Development team for OpenStack
- Definition:
- Approved
- Series goal:
- Accepted for havana
- Implementation:
-
Implemented
- Milestone target:
-
2013.2
- Started by
- Laura Glendenning
- Completed by
- Russell Bryant
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Added encryption support for volumes
If cinder is not given some sort of handle for the encryption key, then snapshot / clone / backup can never work. I think this needs some more thought on integrating cinder with the design --Duncan Thomas
Addressed by: https:/
Create key manager interface
Addressed by: https:/
Add encryption support for volumes
Blocked on a change going in to cinder: https:/
The cinder patch set has been approved and should merge later today. -- joel-coffman
Since this has been blocked for a while, I'm going to lower the priority, indicating that it's not going to block the Nova Havana release in case it doesn't get unblocked in time. --russellb
Addressed by: https:/
Add key manager implementation with static key
Addressed by: https:/
Add ephemeral storage encryption for LVM back-end images
Addressed by: https:/
Synchronize the key manager interface with Cinder
Gerrit topic: https:/
Work Items
Dependency tree
* Blueprints in grey have been implemented.
