The nova.keymgr.conf_key_mgr Module

An implementation of a key manager that reads its key from the project’s configuration options.

This key manager implementation provides limited security, assuming that the key remains secret. Using the volume encryption feature as an example, encryption provides protection against a lost or stolen disk, assuming that the configuration file that contains the key is not stored on the disk. Encryption also protects the confidentiality of data as it is transmitted via iSCSI from the compute host to the storage host (again assuming that an attacker who intercepts the data does not know the secret key).

Because this implementation uses a single, fixed key, it proffers no protection once that key is compromised. In particular, different volumes encrypted with a key provided by this key manager actually share the same encryption key so any volume can be decrypted once the fixed key is known.

class ConfKeyManager

Bases: nova.keymgr.single_key_mgr.SingleKeyManager

This key manager implementation supports all the methods specified by the key manager interface. This implementation creates a single key in response to all invocations of create_key. Side effects (e.g., raising exceptions) for each method are handled as specified by the key manager interface.

Previous topic

The nova.keymgr.barbican Module

Next topic

The nova.keymgr.key Module

Project Source

This Page