OpenStack Compute (nova)

NFS Encryption

Registered by Sofia Enriquez

Volume encryption helps provide basic data protection in case the volume back-end is either compromised or outright stolen. The contents of an encrypted volume can only be read with the use of a specific key.

Cinder is working on supporting encryption on NFS volumes. To do this NFS driver uses LUKS inside qcow2 for this. This affects Nova because Nova cannot handle LUKS inside qcow2 disk format at the moment when using qemu.

The new implementation involves:
- A new function to verify whether a volume utilizes LUKS inside qcow2.
- Libvirt needs to keep track of the parent qcow2 images and the related secret for each image. At the moment Nova cannot handle identifying all the relation chains and the code proposed to explicitly add them.

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
Sofia Enriquez
Direction:
Needs approval
Assignee:
Sofia Enriquez
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

Implement is_luks_inside_qcow2 funtion: https://review.opendev.org/c/openstack/nova/+/854030

Implement encryption on backingStore: https://review.opendev.org/c/openstack/nova/+/870012

Gerrit topic: https://review.opendev.org/#/q/topic:bp/nfs-volume-encryption

Addressed by: https://review.opendev.org/c/openstack/nova-specs/+/883516
    Implement support for LUKS inside qcow2 volumes when using Libvirt

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.