libvirt: Disconnect dm-crypt when encrypted instance is suspended or powered-off

Registered by Dan Genin on 2014-12-02

The recently introduced LVM ephemeral storage encryption feature secures user data at rest. Current implementation makes user data unreadable after the instance has been terminated. While the instance is active (e.g., running, paused, suspended or powered off) on the compute host, the data is readable only by the super-user. This protection against unauthorized access can be strengthened further by disconnecting the dm-crypt device when an instance is suspended or powered off and flushing the encryption key from memory. The dm-crypt device is what allows the encrypted data to be accessed in the clear, so disconnecting it will render the data unreadable by anyone without the key.

Blueprint information

Status:
Not started
Approver:
John Garbutt
Priority:
Low
Drafter:
Joel Coffman
Direction:
Needs approval
Assignee:
Dane Fichter
Definition:
Pending Approval
Series goal:
None
Implementation:
Not started
Milestone target:
None

Related branches

Sprints

Whiteboard

Spec changes:
Addressed by: https://review.openstack.org/140847
    Stop encrypted disk on instance suspend/power off
Addressed by: https://review.openstack.org/172924
    Stop encrypted disk on instance suspend/power off

Sorry, we have now hit the non-priority feature freeze for kilo. Please resubmit your spec for the L release. --johnthetubaguy 5th Feb 2015

Gerrit topic: https://review.openstack.org/#q,topic:bp/stop-dmcrypt-on-suspend,n,z

Addressed by: https://review.openstack.org/177398
    libvirt: Clean up unit tests for _hard_reboot

Addressed by: https://review.openstack.org/177437
    libvirt: Remove unnecessary JSON conversions

Addressed by: https://review.openstack.org/198752
    libvirt: Replace stubs with mocks for test_dmcrypt

Addressed by: https://review.openstack.org/198774
    libvirt: Add logging for dm-crypt error conditions

Addressed by: https://review.openstack.org/198880
    libvirt: Add test case for suspend

It seems like the key patch is:
https://review.openstack.org/#/c/141485
But there are lots of dependent patches that are required first, that don't need to be blocked by the freeze.
--johnthetubuagy

Sorry, we have now hit the non-priority feature freeze for Liberty. You will need to resubmit this blueprint for Mitaka or apply for an exception. For more details on why this is happening, and the rest of the process details, please see: https://wiki.openstack.org/wiki/Nova/Liberty_Release_Schedule
--johnthetubaugy 3rd July 2015

Addressed by: https://review.openstack.org/223138
    Stop encrypted disk on instance suspend/power off

Pending Patches
------------------------

Addressed by: https://review.openstack.org/141485
    Disconnect dm-crypt on instance suspend/stop

Sorry, we have now hit the Non-Priority Feature Freeze for Mitaka. For more details please see: http://docs.openstack.org/releases/schedules/mitaka.html#m-nova-npff and http://docs.openstack.org/developer/nova/process.html#non-priority-feature-freeze
--johnthetubaguy 2016.01.31

Addressed by: https://review.openstack.org/307476
    Stop encrypted disk on instance suspend/power off

This is re-approved for newton. The patch needs to be cleaned up and comments addressed. I've already asked johnthetubaguy to drop the procedural -2. -- mriedem 20160421

It looks like no one ever picked this up again for Newton and we're pretty much at non-priority feature freeze, so I'm deferring this for Newton. -- mriedem 20160629

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.