Enabling volume encryption

Cinder can manage the encryption of volumes, and it happens transparent to the guest. Encryption is enabled on a volume type level.

Getting ready

Encryption can be enabled either when creating a new volume type or added to an existing volume type that has no volumes in use. To enable volume encryption, you will need the following:

  • An openrc file with appropriate credentials for the environment
  • The openstack command-line client
  • The name of the volume type
  • Name of the encryption provider
  • Encryption control location
  • Encryption key size
  • Encryption cipher

For our example, these will be as follows:

  • Name: Cookbook Encrypted Volumes
  • Encryption provider: nova.volume.encryptors.luks.LuksEncryptor
  • Encryption control location: front-end
  • Encryption key size: 256
  • Encryption cipher: aes-xts-plain64

Note

The encryption-specific values you choose will be based on what is available in your particular environment. A detailed discussion of these values is beyond the scope of this book.

How to do it…

To enable volume encryption as a new volume type, the following command is used:

openstack volume type create
    --description "LUKS Encrypted volumes"
    --encryption-provider nova.volume.encryptors.luks.LuksEncryptor
    --encryption-control-location front-end
    --encryption-key-size 256
    --encryption-cipher aes-xts-plain64
    "Encrypted"

We would then use this "Encrypted" volume type when creating a volume as follows:

openstack volume create
    --size 1
    --type "Encrypted"
    --description "An encrypted volume"
    encrypted.volume

How it works…

Volumes are configured as a volume type, and thus, additional parameters are passed to openstack volume type create:

  • The --encryption-provider flag let's Cinder know which provider will perform the encryption. As with storage backends, there are a number of providers available. Refer to the OpenStack documentation for a current list.
  • The --encryption-control-location parameter tells Cinder where the encryption will be handled. In our case, front-end means that Nova will be handling the encryption.
  • Next, the --encryption-key-size parameter specifies the size of the key used. 256 was selected for the example as to not crush lab performance. The encryption provider and cipher you choose will provide specific recommendations.
  • Finally, --encryption-cipher specifies which cipher to use. You can use cryptsetup benchmark to get a list of available options and an idea as to how they will perform.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.15.34.154