openstack-manuals

Add cinder volume encryption usage doc

Bug #1224977 reported by Anne Gentle
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-manuals
Fix Released
High
Brent Roskos
openstack-manuals juno

Bug Description

https://review.openstack.org/#/c/45103/

Per feedback received on other patch sets, an example key manager
driver is required to support ephemeral storage encryption and
Cinder volume encryption. The ConfKeyManager class reads its key
from the project's configuration file and provides this key for
*all* requests. As such, this key manager is insecure but allows
the aforementioned encryption features to be used without further
integration effort.

To clarify the above statements, the configuration-based key
manager uses a single, fixed key. When used to encrypt data (e.g.,
by the Cinder volume encryption feature), the encryption provides
limited protection for the confidentiality of data. For example,
data cannot be read from a lost or stolen disk, and a volume's
contents cannot be reconstructed if an attacker intercepts the iSCSI
traffic between the compute and storage host. If the key is ever
compromised, then any data encrypted with the key can be decrypted.

Implements blueprint encrypt-cinder-volumes

Revision history for this message
Anne Gentle (annegentle) wrote :

See also, Add key manager implementation with static key, https://review.openstack.org/#/c/46091/

Revision history for this message
Tom Fifield (fifieldt) wrote :

I am confused by what's required by this bug. Can we get some more context?

Changed in openstack-manuals:
milestone: none → juno
Brent Roskos (broskos)
Changed in openstack-manuals:
assignee: nobody → Brent Roskos (broskos)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-manuals (master)

Reviewed: https://review.openstack.org/113302
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=12ededa7ae76ace98f9447297de1ea3936e79aaf
Submitter: Jenkins
Branch: master

commit 12ededa7ae76ace98f9447297de1ea3936e79aaf
Author: Brent Roskos <email address hidden>
Date: Mon Aug 11 12:16:16 2014 -0400

    Add documentation for cinder volume encryption.

    Closes-Bug: #1224977

    Documentation covers the setup of encryption configuration,
    creating the necessary volume-type and creating encrypted
    volumes. Also shows a short procedure to validate encryption.

    Change-Id: I58b84e5119f56873fd4b74949d42f013b07ec91d

Changed in openstack-manuals:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-manuals 15.0.0

This issue was fixed in the openstack/openstack-manuals 15.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.