On 3 December 2015 at 11:14, Li, Xiaoyan <[email protected]> wrote:
> Just to clear the data operations cinder needs to touch plaintext data are: > 1) Create volume from glance image > 2) Create glance image from volume > 3) Retype encrypted volumes. That is to change a volume from unencrypted > to encrypted, or vice visa. > > Backup/Restore doesn't need to decrypt data. > Backup / restore doesn't currently decrypt the data. There are some people commenting that it is not useful for DR work to have a backup that requires keys from a key service that is itself not backed up, so there may be some proposal incoming about not encrypting backups, or else giving them their own key rather than require access to the original volume key during restore - needing that access also makes things like re-keying the original volume difficult/impossible. Again, we have multiple use-cases for encryption, and they are not all going to be solved by solved by draconian dictates that there shall only be one way of doing things.
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
