On Tue, Sep 3, 2013 at 4:38 PM, Coffman, Joel M. <joel.coff...@jhuapl.edu>wrote:
> We have fully implemented support for transparently encrypting Cinder > volumes<https://blueprints.launchpad.net/nova/+spec/encrypt-cinder-volumes>from > within Nova (see > https://review.openstack.org/#/c/30976/), but the lack of a secure key > manager within OpenStack currently precludes us from integrating our work > with that piece of the overall architecture. Instead, a key manager > interface (see https://review.openstack.org/#/c/30973/) abstracts this > interaction. We would appreciate the consideration of the Nova core team > regarding merging our existing work because 1) there is nothing immediately > available with which to integrate; 2) services such as > Barbican<https://launchpad.net/cloudkeep/+announcements>are on the path to > incubation and alternative key management schemes (e.g., KMIP > Client for volume encryption key > management<https://blueprints.launchpad.net/nova/+spec/kmip-client-for-volume-encryption>) > have also been proposed; 3) we avoid the hassle of rebasing until the > aforementioned services become available; and 4) our code does not directly > depend upon a particular key manager but upon the aforementioned interface, > which should be simple for key managers to implement. Furthermore, the > current dearth of key management within OpenStack does not preclude the use > of our existing work within a production environment; although the security > is diminished, our implementation provides protection against certain > attacks like intercepting the iSCSI communication between the compute and > storage host.**** > > ** > How can someone use your code without a key manager? ** > > Feedback regarding the possibility of merging our work would be > appreciated.**** > > ** ** > > Joel**** > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
