All, Please reply or send me an email if you are using the ConfKeyManager (fixed-key key manager) in deployment for volume encryption or ephemeral storage encryption. You can check this by looking at the [keymgr] section, api_class entry of nova.conf or cinder.conf. The ConfKeyManager was only intended for testing and I am working on deprecating it. I would like to gauge the number of people using that back end, because it may affect the deprecation strategy.
This is the start of the effort to replace the duplicated key manager code with Castellan [1], a key manager interface library that allows the user to swap out different back ends, such as Barbican. While Castellan is based on the key managers built into Nova and Cinder, it does not have the fixed-key back end. That back end is insecure. A single key is used for all volumes. If the key is compromised, all of the encrypted data is easily decrypted. See Joel Coffman's comments on the Nova spec [2]. Deprecating the fixed-key key manager would need to occur before Castellan is integrated. Again, please let me know if you use the ConfKeyManager and you actively use the volume encryption and encrypted cinder volume features in a deployment Other feedback is also welcome. I created a separate thread on the openstack-dev mailing list, please reply there with comments or questions. Thanks, Kaitlin Farr 1. Castellan source code. https://github.com/openstack/castellan 2. Castellan integration Nova spec. https://review.openstack.org/#/c/247561/ 3. Castellan integration Cinder spec. https://review.openstack.org/#/c/247577/ _______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
