Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1644787

Summary: [RFE]: support for glance encrypted image with keys managed by barbican.
Product: Red Hat OpenStack Reporter: Pierre Amadio <pamadio>
Component: openstack-barbicanAssignee: Ade Lee <alee>
Status: CLOSED DUPLICATE QA Contact: Pavan <pkesavar>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 13.0 (Queens)CC: gcharot, hrybacki
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-14 09:14:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pierre Amadio 2018-10-31 15:27:14 UTC
this is a request for official support of encrypted glance image with private key stored in barbican.

It is similar to what is done bz#1471633 in comment#4 but with barbican on top of it.

I have been told the following is working, but not tested yet nor officially supported:

##############
1/ Generate a barbican key
openstack secret order create --name mykey --algorithm aes --mode ctr --bit-length 256 --payload-content-type=application/octet-stream key

2/ Get key and ID from 1/

3/ Generate encrypted image with 2/ as LUKS key.

4/ Upload the image into glance with cinder_encryption_key_id=$ID_KEY_BARBICAN (récupéré en 2/)

5/ Create volume from image

6/ Attach volume to instance

7/ VM mount the volume.
##################

Being able to boot from the encryted volume (instead of attaching it in a "vanilla" unencrypted image based vm in point 5) is also requested.

all user of the same tenant/project should be able to use the barbican defined key.

Comment 3 Gregory Charot 2020-04-14 09:14:31 UTC

*** This bug has been marked as a duplicate of bug 1668213 ***