On Mon, Nov 23, 2015 at 03:45:55AM +0000, Li, Xiaoyan wrote: > Hi all, > More help about volume encryption is needed. > > About uploading encrypted volumes to image, there are three options: > 1. Glance only keeps non-encrypted images. So when uploading encrypted > volumes to image, cinder de-crypts the data and upload.
This may be desirable in some cases, but for people wanting to provide end to end encryption of all tenant data, unencrypting volumes when converting them to images to store is glance is really the last thing we want to do. Once tenant data is encrypted, the goal should be to never decrypt it again except when booting an instance with the volume or image. > 2. Glance maintain encrypted images. Cinder just upload the encrypted > data to image. That is highly desirable as an option, since it allows glance to remain an relatively untrusted component. The image signature work will soon allow Nova to consider glance as untrusted, by allowing Nova to verify that Glance has not tampered with the data that was provided by user, nor tried to serve Nova data from a different user. Following this lead, I think the ability to prevent Glance seeing any plaintext data from the image is an obvious beneficial step forwards. > 3. Just prevent the function to upload encrypted volumes to images. That's obviously fairly limiting. > Option 1 No changes needed in Glance. But it may be not safe. As we > decrypt the data, and upload it to images. s/may be not safe/is not safe/. > Option 2 This imports encryption to Glance which needs to manage the > encryption metadata. Glance doesn't need to do all that much besides recording a few bits of metadata, so that doesn't seem unreasonable todo. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
