OpenStack Compute (nova)

libvirt: Disconnect dm-crypt when encrypted instance is suspended or powered-off

Registered by Dan Genin on 2014-12-02

The recently introduced LVM ephemeral storage encryption feature secures user data at rest. Current implementation makes user data unreadable after the instance has been terminated. While the instance is active (e.g., running, paused, suspended or powered off) on the compute host, the data is readable only by the super-user. This protection against unauthorized access can be strengthened further by disconnecting the dm-crypt device when an instance is suspended or powered off and flushing the encryption key from memory. The dm-crypt device is what allows the encrypted data to be accessed in the clear, so disconnecting it will render the data unreadable by anyone without the key.

Read the full specification

Blueprint information

Status:: Not started

Approver:: John Garbutt

Priority:: Low

Drafter:: Joel Coffman

Direction:: Needs approval

Assignee:: Dane Fichter

Definition:: Pending Approval

Series goal:: None

Implementation:: Not started

Milestone target:: None

Related branches

Related bugs

Sprints

Whiteboard

Spec changes:
Addressed by: https://review.openstack.org/140847
Stop encrypted disk on instance suspend/power off
Addressed by: https://review.openstack.org/172924
Stop encrypted disk on instance suspend/power off

Sorry, we have now hit the non-priority feature freeze for kilo. Please resubmit your spec for the L release. --johnthetubaguy 5th Feb 2015

Gerrit topic: https://review.openstack.org/#q,topic:bp/stop-dmcrypt-on-suspend,n,z

Addressed by: https://review.openstack.org/177398
libvirt: Clean up unit tests for _hard_reboot

Addressed by: https://review.openstack.org/177437
libvirt: Remove unnecessary JSON conversions

Addressed by: https://review.openstack.org/198752
libvirt: Replace stubs with mocks for test_dmcrypt

Addressed by: https://review.openstack.org/198774
libvirt: Add logging for dm-crypt error conditions

Addressed by: https://review.openstack.org/198880
libvirt: Add test case for suspend

It seems like the key patch is:
https://review.openstack.org/#/c/141485
But there are lots of dependent patches that are required first, that don't need to be blocked by the freeze.
--johnthetubuagy

Sorry, we have now hit the non-priority feature freeze for Liberty. You will need to resubmit this blueprint for Mitaka or apply for an exception. For more details on why this is happening, and the rest of the process details, please see: https://wiki.openstack.org/wiki/Nova/Liberty_Release_Schedule
--johnthetubaugy 3rd July 2015

Addressed by: https://review.openstack.org/223138
Stop encrypted disk on instance suspend/power off

Pending Patches
------------------------

Addressed by: https://review.openstack.org/141485
Disconnect dm-crypt on instance suspend/stop

Sorry, we have now hit the Non-Priority Feature Freeze for Mitaka. For more details please see: http://docs.openstack.org/releases/schedules/mitaka.html#m-nova-npff and http://docs.openstack.org/developer/nova/process.html#non-priority-feature-freeze
--johnthetubaguy 2016.01.31

Addressed by: https://review.openstack.org/307476
Stop encrypted disk on instance suspend/power off

This is re-approved for newton. The patch needs to be cleaned up and comments addressed. I've already asked johnthetubaguy to drop the procedural -2. -- mriedem 20160421

It looks like no one ever picked this up again for Newton and we're pretty much at non-priority feature freeze, so I'm deferring this for Newton. -- mriedem 20160629

(?)

Work Items

This blueprint contains Public information

Everyone can see this information.

Subscribers

No subscribers.