NFV and other customers want to ensure a hard level of security in a multi-tenant storage environment. Cinder has support for encrypted volume types. This needs to be exposed in OSP-D.
In the meantime we're configuring it in the puppet module and in tripleo heat tempaltes, you can already do that:
So if you want:
parameter = something
You can edit puppet/hieradata/controller.yaml:
And it will apply the right configuration to Cinder.
I think what you need is to run some CLI commands to enable encryption.
Please look http://docs.openstack.org/kilo/config-reference/content/section_create-encrypted-volume-type.html
You might need to run:
cinder type-create LUKS
cinder encryption-type-create --cipher aes-xts-plain64 --key_size 512 \
--control_location front-end LUKS nova.volume.encryptors.luks.LuksEncryptor
"Support for creating the volume type in the OpenStack dashboard (horizon) exists today, however support for tagging the type as encrypted and providing the additional information needed is still in review."
Please confirm this workaround works for you now and if yes we will automate it in the installer.
Sorry to ask again, I might be confused, but I still need if this solution works for you.
Before changing anything in the installer, we might need your feedback on this proposal.
Sorry for the delayed response. This needs to wait for encryption in qemu and nova for rbd. Since qemu is accessing rbd directly, there is no block device on the compute host for the existing nova encryption setup to work with.
This bug did not make the OSP 8.0 release. It is being deferred to OSP 10.
I wanted to confirm that encryption has moved out to OSP11. I will move this bug when I hear from Federico.
This is actually worth doing in this cycle if we at all can.
Libvirt needs to support RBD encryption in order to address this, which will not occur in the RHOS 11 timeframe. Pushing to 12.