Cinder creating and associating symmetric keys with encrypted volumes when used with Barbican
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
New
|
Undecided
|
Unassigned |
Bug Description
Description
===========
Cinder is creating and associating symmetric keys with encrypted volumes when used with Barbican. As discussed on the dev ML [1] these symmetric keys are not used to directly encrypt or decrypt these volumes within Cinder or Nova (via os-brick).
It would be less confusing to users and operators if passphrases were instead stored in Barbican and associated with these encrypted volumes. While Barbican does currently allow for secret passphrases to be stored the associated key manager interface provided by Catellan and used by Cinder and Nova does not. This will need to be extend before any changes can be made to Cinder.
[1] http://
summary: |
- Cinder is creating and associating symmetric keys with encrypted volumes + Cinder creating and associating symmetric keys with encrypted volumes when used with Barbican |
Castellan does allow for passphrases to be stored.
https:/ /github. com/openstack/ castellan/ blob/master/ castellan/ common/ objects/ passphrase. py
You would need to create a Passphrase object and use the key_manager.store() command to store it. However, you'd need to either get the user to input the passphrase or randomly generate the bytes somewhere. Generating symmetric/ asymmetric keys is a standard key manager feature, but generating passphrases is not.