Bug 1262120 - [RFE] Expose encrypted volume options for Cinder volumes backed by RBD
Summary: [RFE] Expose encrypted volume options for Cinder volumes backed by RBD
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: rhosp-director
Version: 9.0 (Mitaka)
Hardware: Unspecified
OS: Unspecified
Target Milestone: Upstream M1
: ---
Assignee: Alan Bishop
QA Contact: Yogev Rabl
Depends On: 1230405 1262121 1285089 1297980 1301019
Blocks: 1291943 1411525
TreeView+ depends on / blocked
Reported: 2015-09-10 20:33 UTC by Neil Levine
Modified: 2017-12-05 04:14 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2017-10-13 14:58:37 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Neil Levine 2015-09-10 20:33:18 UTC
NFV and other customers want to ensure a hard level of security in a multi-tenant storage environment. Cinder has support for encrypted volume types. This needs to be exposed in OSP-D.

Comment 3 Emilien Macchi 2015-09-17 16:22:27 UTC
In the meantime we're configuring it in the puppet module and in tripleo heat tempaltes, you can already do that:

So if you want:

parameter = something

You can edit puppet/hieradata/controller.yaml:

    value: 'something'

And it will apply the right configuration to Cinder.

Comment 4 Emilien Macchi 2015-09-17 16:32:35 UTC
I think what you need is to run some CLI commands to enable encryption.
Please look http://docs.openstack.org/kilo/config-reference/content/section_create-encrypted-volume-type.html

You might need to run:

cinder type-create LUKS
cinder encryption-type-create --cipher aes-xts-plain64 --key_size 512 \
  --control_location front-end LUKS nova.volume.encryptors.luks.LuksEncryptor

"Support for creating the volume type in the OpenStack dashboard (horizon) exists today, however support for tagging the type as encrypted and providing the additional information needed is still in review."

Please confirm this workaround works for you now and if yes we will automate it in the installer.

Comment 5 Emilien Macchi 2015-09-21 18:19:51 UTC
Sorry to ask again, I might be confused, but I still need if this solution works for you.
Before changing anything in the installer, we might need your feedback on this proposal.

Thank you

Comment 6 Josh Durgin 2015-12-11 00:35:13 UTC
Sorry for the delayed response. This needs to wait for encryption in qemu and nova for rbd. Since qemu is accessing rbd directly, there is no block device on the compute host for the existing nova encryption setup to work with.

Comment 8 Mike Burns 2016-04-07 20:50:54 UTC
This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.

Comment 10 Jeff Brown 2016-09-13 17:28:57 UTC
I wanted to confirm that encryption has moved out to OSP11.  I will move this bug when I hear from Federico.


Comment 11 Federico Lucifredi 2016-09-15 06:57:52 UTC
This is actually worth doing in this cycle if we at all can.

Comment 12 Elise Gafford 2016-12-02 19:42:37 UTC
Libvirt needs to support RBD encryption in order to address this, which will not occur in the RHOS 11 timeframe. Pushing to 12.

Note You need to log in before you can comment on or make changes to this bug.