Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Enabling volume encryption

Cinder can manage the encryption of volumes, and it happens transparent to the guest. Encryption is enabled on a volume type level.

Getting ready

Encryption can be enabled either when creating a new volume type or added to an existing volume type that has no volumes in use. To enable volume encryption, you will need the following:

An openrc file with appropriate credentials for the environment
The openstack command-line client
The name of the volume type
Name of the encryption provider
Encryption control location
Encryption key size
Encryption cipher

For our example, these will be as follows:

Name: Cookbook Encrypted Volumes
Encryption provider: nova.volume.encryptors.luks.LuksEncryptor
Encryption control location: front-end
Encryption key size: 256
Encryption cipher: aes-xts-plain64

Note

The encryption-specific values you choose will be based on what is available in your particular environment. A detailed discussion of these values is beyond the scope of this book.

How to do it…

To enable volume encryption as a new volume type, the following command is used:

openstack volume type create
    --description "LUKS Encrypted volumes"
    --encryption-provider nova.volume.encryptors.luks.LuksEncryptor
    --encryption-control-location front-end
    --encryption-key-size 256
    --encryption-cipher aes-xts-plain64
    "Encrypted"

We would then use this "Encrypted" volume type when creating a volume as follows:

openstack volume create
    --size 1
    --type "Encrypted"
    --description "An encrypted volume"
    encrypted.volume

How it works…

Volumes are configured as a volume type, and thus, additional parameters are passed to openstack volume type create:

The --encryption-provider flag let's Cinder know which provider will perform the encryption. As with storage backends, there are a number of providers available. Refer to the OpenStack documentation for a current list.
The --encryption-control-location parameter tells Cinder where the encryption will be handled. In our case, front-end means that Nova will be handling the encryption.
Next, the --encryption-key-size parameter specifies the size of the key used. 256 was selected for the example as to not crush lab performance. The encryption provider and cipher you choose will provide specific recommendations.
Finally, --encryption-cipher specifies which cipher to use. You can use cryptsetup benchmark to get a list of available options and an idea as to how they will perform.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Enabling volume encryption

Create new playlist

Sign In

Sign Up

Enabling volume encryption

Getting ready

Note

How to do it…

How it works…

Table of Contents for
Enabling volume encryption