Add cinder volume encryption usage doc
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openstack-manuals |
Fix Released
|
High
|
Brent Roskos |
Bug Description
https:/
Per feedback received on other patch sets, an example key manager
driver is required to support ephemeral storage encryption and
Cinder volume encryption. The ConfKeyManager class reads its key
from the project's configuration file and provides this key for
*all* requests. As such, this key manager is insecure but allows
the aforementioned encryption features to be used without further
integration effort.
To clarify the above statements, the configuration-based key
manager uses a single, fixed key. When used to encrypt data (e.g.,
by the Cinder volume encryption feature), the encryption provides
limited protection for the confidentiality of data. For example,
data cannot be read from a lost or stolen disk, and a volume's
contents cannot be reconstructed if an attacker intercepts the iSCSI
traffic between the compute and storage host. If the key is ever
compromised, then any data encrypted with the key can be decrypted.
Implements blueprint encrypt-
Changed in openstack-manuals: | |
assignee: | nobody → Brent Roskos (broskos) |
status: | Confirmed → In Progress |
See also, Add key manager implementation with static key, https:/ /review. openstack. org/#/c/ 46091/