Cloned from launchpad blueprint https://blueprints.launchpad.net/cinder/+spec/backup-support-for-encrypted-volumes.

Description:

Encrypted volumes require backups to include a clone of the volume's encryption key UUID so that the encryption key is available when the backup is restored. Otherwise, backups of encrypted volumes are unusable since their data cannot be decrypted! This blueprint supports backing up encryption metadata using the approach created for the backup volume metadata support blueprint (see  https://blueprints.launchpad.net/cinder/+spec/cinder-backup-volume-metadata-support) in the Icehouse patch  https://review.openstack.org/#/c/51900/.

When an encrypted volume is backed up, a copy of the volume's encryption key UUID will be stored with the metadata of the volume. Using a copied encryption key UUID (copied through the key manager), instead of an exact duplicate of the volume's encryption key UUID, allows the source volume to be deleted and its encryption key UUID made invalid. This copied encryption key UUID will allow access to the key used to encrypt the source volume when the backup is restored.

When a backup of an encrypted volume is restored, the backup driver will only allow the restoration of the volume when the source volume's volume type is available, and the destination volume (if specified) is of the same volume type. This is because volume types are used to specify the different encryption parameters, such as key_size and cipher. If the source volume's volume type is no longer available, the backup restoration will fail. Likewise, if the specified destination volume is of a different volume type than the source volume, the backup restoration will fail. If a destination volume is not specified, and the source volume's volume type is still available, the created destination volume will become the volume type of the source volume.

Specification URL (additional information):

None