All, Please reply or send me an email if you are using the ConfKeyManager (fixed-key key manager) in deployment for volume encryption or ephemeral storage encryption. You can check this by looking at the [keymgr] section, api_class entry of nova.conf or cinder.conf. The ConfKeyManager was only intended for testing and I am working on deprecating it. I would like to gauge the number of people using that backend, because it may affect the deprecation strategy.
This is the start of the effort to replace the duplicated key manager code with Castellan [1], a key manager interface library that allows the user to swap out different backends, such as Barbican. While Castellan is based on the key managers built into Nova and Cinder, it does not have the fixed-key backend. That backend is insecure. A single key is used for all volumes. If the key is compromised, all of the encrypted data is easily decrypted. See Joel Coffman's comments on the Nova spec [2]. Deprecating the fixed-key key manager would need to occur before Castellan is integrated. Again, please let me know if you use the ConfKeyManager and you actively use the volume encryption and encrypted cinder volume features in a deployment Other feedback is also welcome. I am also creating a separate thread with this info on the operators mailing list. Thanks, Kaitlin Farr 1. Castellan source code. https://github.com/openstack/castellan 2. Castellan integration Nova spec. https://review.openstack.org/#/c/247561/ 3. Castellan integration Cinder spec. https://review.openstack.org/#/c/247577/ __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
