Bug 1305024 - RFE: Support native QEMU volume encryption
Summary: RFE: Support native QEMU volume encryption
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova
Version: unspecified
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: Upstream M3
: 13.0 (Queens)
Assignee: Lee Yarwood
QA Contact: Archit Modi
URL:
Whiteboard:
Depends On: 1305022 1333141 1406796 1406803 1518998 1631239
Blocks: 1301026 1442136 1821539 1230405 1273812 1305044
TreeView+ depends on / blocked
 
Reported: 2016-02-05 11:13 UTC by Pablo Iranzo Gómez
Modified: 2020-04-07 03:08 UTC (History)
28 users (show)

Fixed In Version: openstack-nova-17.0.0-0.20180223162252.a4a53bf.el7ost
Doc Type: Enhancement
Doc Text:
Clone Of: 1305022
: 1305044 (view as bug list)
Environment:
Last Closed: 2018-06-27 13:26:22 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
OpenStack gerrit 437070 None MERGED Libvirt: Native LUKS file and host device decryption by QEMU 2020-09-08 09:07:44 UTC
OpenStack gerrit 460243 None MERGED libvirt: Collocate encryptor and volume driver calls 2020-09-08 09:07:45 UTC
OpenStack gerrit 464008 None MERGED libvirt: Introduce disk encryption config classes 2020-09-08 09:07:45 UTC
OpenStack gerrit 490824 None MERGED Libvirt: Native LUKS decryption by QEMU 2020-09-08 09:07:44 UTC
OpenStack gerrit 523958 None MERGED libvirt: QEMU native LUKS decryption for encrypted volumes 2020-09-08 09:07:44 UTC
Red Hat Knowledge Base (Solution) 2137751 None None None 2016-02-05 11:42:37 UTC
Red Hat Product Errata RHEA-2018:2086 normal SHIPPED_LIVE Red Hat OpenStack Platform 13.0 Enhancement Advisory 2018-06-28 19:51:39 UTC

Comment 2 Daniel Berrangé 2016-02-05 11:49:28 UTC
The volume encryption in Nova was only ever designed to work with block device based volumes. Support for network attached volumes (RBD) or file based volumes (NFS) is a future RFE upstream, pending on QEMU support for LUKS. So the report is testing a feature which is known to not exist at this time. As such I'm marking this an RFE, since its not a bug.

Comment 6 Stephen Gordon 2016-09-29 15:44:46 UTC
Dan what's the state of the QEMU dependenc

Comment 7 Daniel Berrangé 2016-09-29 15:50:58 UTC
QEMU has general support for LUKS encryption of raw files and block devices in QEMU 2.6.0 onwards, but to make effective use of it in OpenStack, particularly for NFS, we need qcow2 integration. That work is still pending.

Comment 8 Sean Cohen 2016-12-21 15:29:42 UTC
(In reply to Daniel Berrange from comment #7)
> QEMU has general support for LUKS encryption of raw files and block devices
> in QEMU 2.6.0 onwards, but to make effective use of it in OpenStack,
> particularly for NFS, we need qcow2 integration. That work is still pending.


Native integration of LUKS and qcow2 is targeted at 7.4, adding bug 1406803 dependancy. 
Seam

Comment 20 errata-xmlrpc 2018-06-27 13:26:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086


Note You need to log in before you can comment on or make changes to this bug.