Cinder can manage the encryption of volumes, and it happens transparent to the guest. Encryption is enabled on a volume type level.
Encryption can be enabled either when creating a new volume type or added to an existing volume type that has no volumes in use. To enable volume encryption, you will need the following:
openrc
file with appropriate credentials for the environmentopenstack
command-line clientFor our example, these will be as follows:
Cookbook Encrypted Volumes
nova.volume.encryptors.luks.LuksEncryptor
front-end
256
aes-xts-plain64
To enable volume encryption as a new volume type, the following command is used:
openstack volume type create --description "LUKS Encrypted volumes" --encryption-provider nova.volume.encryptors.luks.LuksEncryptor --encryption-control-location front-end --encryption-key-size 256 --encryption-cipher aes-xts-plain64 "Encrypted"
We would then use this "Encrypted"
volume type when creating a volume as follows:
openstack volume create --size 1 --type "Encrypted" --description "An encrypted volume" encrypted.volume
Volumes are configured as a volume type, and thus, additional parameters are passed to openstack volume type create
:
--encryption-provider
flag let's Cinder know which provider will perform the encryption. As with storage backends, there are a number of providers available. Refer to the OpenStack documentation for a current list.--encryption-control-location
parameter tells Cinder where the encryption will be handled. In our case, front-end
means that Nova will be handling the encryption.--encryption-key-size
parameter specifies the size of the key used. 256
was selected for the example as to not crush lab performance. The encryption provider and cipher you choose will provide specific recommendations.--encryption-cipher
specifies which cipher to use. You can use cryptsetup benchmark
to get a list of available options and an idea as to how they will perform.3.15.34.154