Comment 1 for bug 2051108

We've drafted a basic approach what we think needs to be changed. [1]

Here's the summary:
- Update /cinder/volume/api.py to accept an encryption key ID. The encryption key should be stored in the configured KeyManager (usually Barbican) beforehand to keep changes minimal and maintainable. Based on feedback of the OpenStack community an alternative would be to provide and store the key right away on create.
- clone_encryption_key() of /cinder/volume/volume_utils.py must be used to ensure keys can be deleted when the volume is deleted.

[1] https://input.scs.community/9FbrLgYbT8KFvZGXLzay6Q?view#OpenStack