Slightly off topic, But I remember a discussion involving encrypted volumes and nova(?) and there was an issue where an issue/bug where nova was using the wrong key – like it got hashed wrong and was using the badly hashed key/password vs’s what was configured.
___________________________________________________________________ Kris Lindgren Senior Linux Systems Engineer GoDaddy From: Joe Topjian <j...@topjian.net> Date: Monday, January 23, 2017 at 12:41 PM To: "openstack-operators@lists.openstack.org" <openstack-operators@lists.openstack.org> Subject: [Openstack-operators] Encrypted Cinder Volume Deployment Hi all, I'm investigating the options for configuring Cinder with encrypted volumes and have a few questions. The Cinder environment is currently running Kilo which will be upgraded to something between M-O later this year. The Kilo release supports the fixed_key setting. I see fixed_key is still supported, but has been abstracted into Castellan. Question: If I configure Kilo with a fixed key, will existing volumes still be able to work with that same fixed key in an M, N, O release? Next, fixed_key is discouraged because of it being a single key for all tenants. My understanding is that Barbican provides a way for each tenant to generate their own key. Question: If I deploy with fixed_key (either now or in a later release), can I move from a master key to Barbican without bricking all existing volumes? Are there any other issues to be aware of? I've done a bunch of Googling and searching on bugs.launchpad.net<http://bugs.launchpad.net> and am pretty satisfied with the current state of support. My intention is to provide users with simple native encrypted volume support - not so much supporting uploaded volumes, bootable volumes, etc. But what I want to make sure of is that I'm not in a position where in order to upgrade, a bunch of volumes become irrecoverable. Thanks, Joe
_______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
