A major concern about several encryption features within Nova [1, 2] has been the lack of secure key management. To address this concern, work has been underway to integrate these features with Barbican [3], which can be used to manage encryption keys across OpenStack.
We request a feature freeze exception be granted to merge this code [3], which is really a shim between the existing key manager interface in Nova and python-barbicanclient, into Nova [4]. The acceptance of this feature will improve the security of cloud users and operators who use the Cinder volume encryption feature [1], which is currently limited to a single, static encryption key for volumes. Cinder has already merged a similar feature [5] following the review of several patch revisions; not accepting the feature in Nova creates a disparity with Cinder in regards to the management of encryption keys. As this is an optional feature that introduces very few changes to pre-existing code, the risk of disruption to existing deployments as well as the risk of regression is minimal. The only objection that has very recently been voiced is the implicit dependency on the Barbican service, which does not yet have experimental jobs in Tempest. Other core reviewers, though, believe that the existing unit tests included with the change are sufficient. Thank you for taking the time to consider this request. The APL Development Team [1] https://blueprints.launchpad.net/nova/+spec/encrypt-cinder-volumes [2] https://blueprints.launchpad.net/nova/+spec/lvm-ephemeral-storage-encryption [3] https://review.openstack.org/#/c/104001/ [4] https://blueprints.launchpad.net/nova/+spec/encryption-with-barbican [5] https://blueprints.launchpad.net/cinder/+spec/encryption-with-barbican
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
