On Thu, Sep 04, 2014 at 05:19:45PM +0000, Coffman, Joel M. wrote: > A major concern about several encryption features within Nova [1, 2] has been > the lack of secure key management. To address this concern, work has been > underway to integrate these features with Barbican , which can be used to > manage encryption keys across OpenStack. > > We request a feature freeze exception be granted to merge this code , > which is really a shim between the existing key manager interface in Nova and > python-barbicanclient, into Nova . The acceptance of this feature will > improve the security of cloud users and operators who use the Cinder volume > encryption feature , which is currently limited to a single, static > encryption key for volumes. Cinder has already merged a similar feature  > following the review of several patch revisions; not accepting the feature in > Nova creates a disparity with Cinder in regards to the management of > encryption keys. > > As this is an optional feature that introduces very few changes to > pre-existing code, the risk of disruption to existing deployments as well as > the risk of regression is minimal. The only objection that has very recently > been voiced is the implicit dependency on the Barbican service, which does > not yet have experimental jobs in Tempest. Other core reviewers, though, > believe that the existing unit tests included with the change are sufficient. > > Thank you for taking the time to consider this request.
I sponsor it as it is effectively part of the LVM encryption blueprint which I've already sponsor. So we should consider FFE for both those blueprints together, rather than in isolation. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ OpenStack-dev mailing list OpenStackemail@example.com http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev