On 09/05/2014 07:51 AM, Daniel P. Berrange wrote:
> On Thu, Sep 04, 2014 at 05:19:45PM +0000, Coffman, Joel M. wrote:
>> A major concern about several encryption features within Nova [1, 2] has
>> been the lack of secure key management. To address this concern, work has
>> been underway to integrate these features with Barbican [3], which can be
>> used to manage encryption keys across OpenStack.
>>
>> We request a feature freeze exception be granted to merge this code [3],
>> which is really a shim between the existing key manager interface in Nova
>> and python-barbicanclient, into Nova [4]. The acceptance of this feature
>> will improve the security of cloud users and operators who use the Cinder
>> volume encryption feature [1], which is currently limited to a single,
>> static encryption key for volumes. Cinder has already merged a similar
>> feature [5] following the review of several patch revisions; not accepting
>> the feature in Nova creates a disparity with Cinder in regards to the
>> management of encryption keys.
>>
>> As this is an optional feature that introduces very few changes to
>> pre-existing code, the risk of disruption to existing deployments as well as
>> the risk of regression is minimal. The only objection that has very recently
>> been voiced is the implicit dependency on the Barbican service, which does
>> not yet have experimental jobs in Tempest. Other core reviewers, though,
>> believe that the existing unit tests included with the change are sufficient.
>>
>> Thank you for taking the time to consider this request.
>
> I sponsor it as it is effectively part of the LVM encryption blueprint
> which I've already sponsor. So we should consider FFE for both those
> blueprints together, rather than in isolation.
Agreed, I kind of assumed we were thinking about them as one thing.
-Sean
--
Sean Dague
http://dague.net
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
