Just an FYI, it doesn't solved cached images, but Swift does support at rest encryption, so if using the Swift store backend you can at least know your image on disk on the storage nodes would be safe. We still need to add more functionality like key rotation, but we do integrate with kmip sevices or barbican.
Still could be a good idea for other projects. I wasn't the one who wrote the Swift at-rest encryption but happy to, probably badly, help answer questions cause we might have some interesting lessons learned. Matt On Tue, Oct 16, 2018 at 12:36 AM Josephine Seifert < josephine.seif...@secustack.com> wrote: > Hello OpenStack developers, > > we have made an etherpad as there were a few questions concerning > the library we want to use for the encryption and decryption method: > > > https://etherpad.openstack.org/p/library-for-image-encryption-and-decryption > > > Am 11.10.2018 um 15:10 schrieb Josephine Seifert: > > Am 08.10.2018 um 17:16 schrieb Markus Hentsch: > >> Dear OpenStack developers, > >> > >> as you suggested, we have written individual specs for Nova [1] and > >> Cinder [2] so far and will write another spec for Glance soon. We'd > >> appreciate any feedback and reviews on the specs :) > >> > >> Thank you in advance, > >> Markus Hentsch > >> > >> [1] https://review.openstack.org/#/c/608696/ > >> [2] https://review.openstack.org/#/c/608663/ > >> > >> > >> > __________________________________________________________________________ > >> OpenStack Development Mailing List (not for usage questions) > >> Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > The spec for Glance is also on gerrit now: > > > > https://review.openstack.org/#/c/609667/ > > > > > __________________________________________________________________________ > > OpenStack Development Mailing List (not for usage questions) > > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
