Storage: Encryption of ephemeral storage (first steps only)

Registered by Laura Glendenning

This blueprint is an incremental feature to [].

When virtual machines (VMs) are launched, ephemeral storage is created to support a large single volume. It is created locally on the same platform as the machine hosting the VM, for both the guest operating system files and additional storage space can also be added for other purposes. These volumes are currently not being encrypted, and this makes the platforms hosting VMs high value targets because an attacker can break into the platform and read the data for many different VMs. This feature makes it harder for an attacker to read VM disks, since it encrypts each one with a unique key that is not stored locally. Also, if the physical storage medium were stolen, remounted, and accessed from a different machine, this blueprint fully addresses this vulnerability also.

The aim of this blueprint is to provide encryption of the VM's data before it is written to disk. The idea is similar to how self-encrypting drives work. Our goal is to present the VM a normal block storage device, but we will encrypt the bytes in the virtualization host before writing them to the disk. For more information, see the referenced specification.

Blueprint information

Russell Bryant
APL Development team for OpenStack
APL Development team for OpenStack
Series goal:
Accepted for icehouse
Milestone target:
milestone icon 2014.1
Started by
Joel Coffman
Completed by
John Garbutt

Related branches



Gerrit topic:,topic:bp/encrypt-ephemeral-storage,n,z

Addressed by:
    Adds ephemeral storage encryption

Addressed by:
    This patch adds ephemeral storage encryption for LVM back-end instances. Encryption is implemented by passing all data written to and read from the logical volumes through a dm-crypt layer. Most instance operations such as pause/continue, suspend/resume,

Gerrit topic:,topic:bp/encrypt-cinder-volumes,n,z

Addressed by:
    Add key manager implementation with static key

Addressed by:
    Synchronize the key manager interface with Cinder

Addressed by:
    Replaces call to lvs with blockdev.

Addressed by:
    Adds dmcrypt utility module

Addressed by:
    Patch adds dmcrypt module.

Addressed by:
    Adds ephemeral_key_uuid field to instance

Gerrit topic:,topic:bp/linked,n,z

Addressed by:
    Add support for libvirt secret management

Addressed by:
    Adds ephemeral storage encryption for Raw back-end images


Merged in Havana:

Merged in Icehouse:

Waiting for review:

This blueprint was too big in the first place, probably just delay the un-merged things, and mark this complete --johnthetubaguy

Apologies, this missed the deadline for Feature Freeze. Marking this one as Implemented, so please open a new blueprint for the remaining patches. Please rebase patches as soon as Juno opens, and we will try to get this in during that period. --johnthetubaguy (5th March 2014)

Given objections during the review, will need to look at the design of this integration with libvirt more carefully. The sticking point seems to be waiting for barbican. --johnthetubaguy


Work Items

Work items:
Initial work: DONE
wire up with libvirt: POSTPONED