Atom feed of this document
  
Kilo -  Kilo -  Kilo -  Kilo -  Kilo -  Kilo -  Kilo -  Kilo - 

 Volume encryption with static key

This is an implementation of a key manager that reads its key from the project's configuration options.

This key manager implementation provides limited security, assuming that the key remains secret. Volume encryption provides protection against a lost or stolen disk, assuming that the configuration file that contains the key is not stored on the disk. Encryption also protects the confidentiality of data as it is transmitted via iSCSI from the compute host to the storage host as long as an attacker who intercepts the data does not know the secret key.

Because this implementation uses a single, fixed key, it does not provide protection if that key is compromised. In particular, different volumes encrypted with a key provided by this key manager actually share the same encryption key so any volume can be decrypted once the fixed key is known.

Updates are in the pipeline which will provide true key manager support via the key management service. This will provide much better security once complete.

Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

loading table of contents...