Storage: Encryption of ephemeral storage (first steps only)

Registered by Laura Glendenning on 2012-11-29

This blueprint is an incremental feature to [https://blueprints.launchpad.net/nova/+spec/encrypt-cinder-volumes].

When virtual machines (VMs) are launched, ephemeral storage is created to support a large single volume. It is created locally on the same platform as the machine hosting the VM, for both the guest operating system files and additional storage space can also be added for other purposes. These volumes are currently not being encrypted, and this makes the platforms hosting VMs high value targets because an attacker can break into the platform and read the data for many different VMs. This feature makes it harder for an attacker to read VM disks, since it encrypts each one with a unique key that is not stored locally. Also, if the physical storage medium were stolen, remounted, and accessed from a different machine, this blueprint fully addresses this vulnerability also.

The aim of this blueprint is to provide encryption of the VM's data before it is written to disk. The idea is similar to how self-encrypting drives work. Our goal is to present the VM a normal block storage device, but we will encrypt the bytes in the virtualization host before writing them to the disk. For more information, see the referenced specification.

Blueprint information

Status:
Complete
Approver:
Russell Bryant
Priority:
Low
Drafter:
APL Development team for OpenStack
Direction:
Approved
Assignee:
APL Development team for OpenStack
Definition:
Approved
Series goal:
Accepted for icehouse
Implementation:
Implemented
Milestone target:
milestone icon 2014.1
Started by
Joel Coffman on 2013-07-01
Completed by
John Garbutt on 2014-03-05

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/encrypt-ephemeral-storage,n,z

Addressed by: https://review.openstack.org/40467
    Adds ephemeral storage encryption

Addressed by: https://review.openstack.org/40932
    This patch adds ephemeral storage encryption for LVM back-end instances. Encryption is implemented by passing all data written to and read from the logical volumes through a dm-crypt layer. Most instance operations such as pause/continue, suspend/resume,

Gerrit topic: https://review.openstack.org/#q,topic:bp/encrypt-cinder-volumes,n,z

Addressed by: https://review.openstack.org/45103
    Add key manager implementation with static key

Addressed by: https://review.openstack.org/45123
    Synchronize the key manager interface with Cinder

Addressed by: https://review.openstack.org/57548
    Replaces call to lvs with blockdev.

Addressed by: https://review.openstack.org/60621
    Adds dmcrypt utility module

Addressed by: https://review.openstack.org/61184
    Patch adds dmcrypt module.

Addressed by: https://review.openstack.org/61544
    Adds ephemeral_key_uuid field to instance

Gerrit topic: https://review.openstack.org/#q,topic:bp/linked,n,z

Addressed by: https://review.openstack.org/68285
    Add support for libvirt secret management

Addressed by: https://review.openstack.org/70228
    Adds ephemeral storage encryption for Raw back-end images

Abandoned:
==========
https://review.openstack.org/#/c/61184/
https://review.openstack.org/#/c/40932/

Merged in Havana:
================
https://review.openstack.org/#/c/45103/
https://review.openstack.org/#/c/45123/
https://review.openstack.org/#/c/45123/

Merged in Icehouse:
================
https://review.openstack.org/#/c/57548/
https://review.openstack.org/#/c/60621/
https://review.openstack.org/#/c/61544/

Waiting for review:
==============
https://review.openstack.org/#/c/40467/
https://review.openstack.org/#/c/68285/
https://review.openstack.org/#/c/70228/

This blueprint was too big in the first place, probably just delay the un-merged things, and mark this complete --johnthetubaguy

Apologies, this missed the deadline for Feature Freeze. Marking this one as Implemented, so please open a new blueprint for the remaining patches. Please rebase patches as soon as Juno opens, and we will try to get this in during that period. --johnthetubaguy (5th March 2014)

Given objections during the review, will need to look at the design of this integration with libvirt more carefully. The sticking point seems to be waiting for barbican. --johnthetubaguy

(?)

Work Items

Work items:
Initial work: DONE
wire up with libvirt: POSTPONED