Bug 1305024 - RFE: Support native QEMU volume encryption
Summary: RFE: Support native QEMU volume encryption
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova
Version: unspecified
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: Upstream M3
: 13.0 (Queens)
Assignee: Lee Yarwood
QA Contact: Archit Modi
URL:
Whiteboard:
Depends On: 1305022 1333141 1406796 1406803 1518998 1631239
Blocks: 1821539 1230405 1273812 1301026 1305044 1442136
TreeView+ depends on / blocked
 
Reported: 2016-02-05 11:13 UTC by Pablo Iranzo Gómez
Modified: 2022-03-13 14:14 UTC (History)
27 users (show)

Fixed In Version: openstack-nova-17.0.0-0.20180223162252.a4a53bf.el7ost
Doc Type: Enhancement
Doc Text:
Clone Of: 1305022
: 1305044 (view as bug list)
Environment:
Last Closed: 2018-06-27 13:26:22 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 437070 0 None MERGED Libvirt: Native LUKS file and host device decryption by QEMU 2021-02-10 21:52:43 UTC
OpenStack gerrit 460243 0 None MERGED libvirt: Collocate encryptor and volume driver calls 2021-02-10 21:52:44 UTC
OpenStack gerrit 464008 0 None MERGED libvirt: Introduce disk encryption config classes 2021-02-10 21:52:44 UTC
OpenStack gerrit 490824 0 None MERGED Libvirt: Native LUKS decryption by QEMU 2021-02-10 21:52:44 UTC
OpenStack gerrit 523958 0 None MERGED libvirt: QEMU native LUKS decryption for encrypted volumes 2021-02-10 21:52:44 UTC
Red Hat Issue Tracker OSP-13538 0 None None None 2022-03-13 14:14:09 UTC
Red Hat Knowledge Base (Solution) 2137751 0 None None None 2016-02-05 11:42:37 UTC
Red Hat Product Errata RHEA-2018:2086 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 13.0 Enhancement Advisory 2018-06-28 19:51:39 UTC

Comment 2 Daniel Berrangé 2016-02-05 11:49:28 UTC 
The volume encryption in Nova was only ever designed to work with block device based volumes. Support for network attached volumes (RBD) or file based volumes (NFS) is a future RFE upstream, pending on QEMU support for LUKS. So the report is testing a feature which is known to not exist at this time. As such I'm marking this an RFE, since its not a bug.
Comment 6 Stephen Gordon 2016-09-29 15:44:46 UTC 
Dan what's the state of the QEMU dependenc
Comment 7 Daniel Berrangé 2016-09-29 15:50:58 UTC 
QEMU has general support for LUKS encryption of raw files and block devices in QEMU 2.6.0 onwards, but to make effective use of it in OpenStack, particularly for NFS, we need qcow2 integration. That work is still pending.
Comment 8 Sean Cohen 2016-12-21 15:29:42 UTC 
(In reply to Daniel Berrange from comment #7)
> QEMU has general support for LUKS encryption of raw files and block devices
> in QEMU 2.6.0 onwards, but to make effective use of it in OpenStack,
> particularly for NFS, we need qcow2 integration. That work is still pending.


Native integration of LUKS and qcow2 is targeted at 7.4, adding bug 1406803 dependancy. 
Seam
Comment 20 errata-xmlrpc 2018-06-27 13:26:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086
Note You need to log in before you can comment on or make changes to this bug.