Bug 1352501

Summary: [RFE] LUKs key management on RHEV
Product: Red Hat Enterprise Virtualization Manager Reporter: vaibhav <vpagar>
Component: RFEsAssignee: Rob Young <royoung>
Status: NEW --- QA Contact: meital avital <mavital>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.5.0CC: berrange, cnagarka, klaas, lsurette, mtessun, rbalakri, srevivo, stefano.stagnaro, tgolembi, vpagar
Target Milestone: ---Keywords: FutureFeature, Reopened
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-18 13:57:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Virt RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1301026, 1821539, 1301019, 1301021, 1406796, 1406803, 1406805, 1518998, 1518999, 1631239    
Bug Blocks:    

Description vaibhav 2016-07-04 09:28:00 UTC
Description of problem: LUKs key management for VMs running on RHEV

We want to encrypt VMs root disk and non root disk by LUKs encryption and that encryption related things should be taken care by RHEV.

Customer's statement :- I'm required to run our guest linux VMs (RHEL7.2) with full LUKs encryption of their root fs and any extra virtual disks attached. Having to enter a LUKS key phrase on boot of each VM is not practical. Does RHEV have any sort of LUKS key management for supporting LUKS encrypted virtual machines?

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 7 vaibhav 2017-04-15 00:41:42 UTC
I have communicated same to the customer. Customer didn't came back yet.

Comment 8 Klaas Demter 2017-11-14 15:20:10 UTC
there is https://bugzilla.redhat.com/show_bug.cgi?id=1336045 with a similar goal, but in general this is already covered by rhel I'd say ( https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using_network-bound_disk_encryption )

Comment 10 Martin Tessun 2018-06-18 13:57:20 UTC
Thank you for submitting this request for inclusion in Red Hat Virtualization. We've carefully evaluated the request, but are unable to include it in a future release. To request that Red Hat re-consider this request, please re-open the bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Comment 11 Franta Kust 2019-05-16 13:04:31 UTC
BZ<2>Jira Resync

Comment 13 Tomáš Golembiovský 2020-09-23 08:26:33 UTC
I understand there may by situations where encryption on storage level is necessary, but I am wondering how well are customers aware of other existing methods for key management. For example network-bound encryption [1] provided by teng/clevis.

[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening

Comment 14 Klaas Demter 2020-09-23 09:14:27 UTC
(In reply to Tomáš Golembiovský from comment #13)
> I understand there may by situations where encryption on storage level is
> necessary, but I am wondering how well are customers aware of other existing
> methods for key management. For example network-bound encryption [1]
> provided by teng/clevis.
> 
> [1]
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/
> html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-
> using-policy-based-decryption_security-hardening

From a customer pov: See comment 8, I am aware of clevis/tang. But the golden image scenario is not covered by clevis/tang ( https://github.com/osbuild/osbuild-composer/issues/326 ). Once this is possible I would see no need for another layer of encryption outside of the individual VMs.