Comment 6 for bug 1372375

The question here is really what should happen if the LUKS header become corrupted for some reason.

Implicit to that question is the assumption that the header could be corrupted without also impacting the integrity of the data stored in the volume. While it's probably possible, my inclination is that corrupting the header would also likely corrupt other portions of the volume in which case the user would probably want to restore the volume from a backup. (See patch to support backups of encrypted volumes: https://review.openstack.org/#/c/74532/)

Regarding the use of luksHeaderBackup and luksHeaderRestore, where do you propose storing the backup header file? Would a backup of the whole volume (see above) be sufficient in your opinion, or is there a specific need to backup only the header?

Finally, the decision to format the device in Nova instead of Cinder was intentional: because Cinder never has access to the encryption key (it merely requests the creation of an encryption key), only the compute host must be trusted. That is, the current flow limits trust among the various services in OpenStack. (I do not argue that flow could be different, but there are security trade-offs that should be considered with such a change.)