Comment 1 for bug 1852106

Okay, so while this is a valid bug I don't think the overall use case has ever worked.

cinder_encryption_key_id isn't used anywhere within openstack/nova [1]. For the libvirt driver at least we only `support` ephemeral encryption with the LVM imagebackend. There we use instance.ephemeral_key_uuid to track the key used to encrypt and then decrypt the encrypted disk(s). AFAICT this a fresh key created each time we launch an instance if CONF.ephemeral_storage_encryption.enabled is True [2], at no time do we lookup and/or use cinder_encryption_key_id from the image metadata.

As a result I can't see how we could ever launch (and importantly allow the guest OS to boot) an instance using an encrypted image that itself was created from an encrypted volume.

Do you know if this has ever been tested and if so where/how?

[1] http://codesearch.openstack.org/?q=cinder_encryption_key_id&i=nope&files=&repos=
[2] https://github.com/openstack/nova/blob/7aa88029bbf6311033457c32801963da01e88ecb/nova/compute/api.py#L1808-L1820