Due to security concerns, we are asked to crypt devices used by instances on Openstack (nova ephemeral disks and cinder volumes).
We’re using Ceph for ephemeral and a storage array (Pure Storage) for Cinder volumes.
I see some options related to volume encryption in both ceph-osd and nova-compute charms.
As I said, what I want is to encrypt both ephemeral and cinder volumes devices.
It is a bit unclear to me if :
since my epheral devices are backed by Ceph (libvirt-image-backend: rbd), do I have to enable the nova-compute charm’s encrypt: True option or the ceph-osd charm’s osd-encrypt option or both ? If I enable both, does it mean I’m encrypting the data twice ?
I didn’t see any encrypt option in the cinder charm, does it mean that enabling encrypt on nova-compute charm will encrypt any cinder volume attached to the instance ?
If I only enable encrypt in the nova-compute charm, will it encrypt any disk attached to the instance, would it be ephemeral or cinder based (and in that case, only encrypt at the nova-compute level would be enough and avoid double encryption)
What’s your feedback on this ?
Does anybody is using nova/ceph encryption ?
What would be the best practices ?
So I can only answer some as I don’t know everything.
The encrypt option is for encryption at rest I think it uses dmcrypt.
As you are using ceph for ephemeral, then you would need to configure the ceph encrypt option and not nova as the nova option would encrypt the disk assigned to libvirt to use. That would be used if you did not have ceph and used the computes locol disks.
For your cinder volumes as you are using something not ceph either look at our storage to see what encryption option they have or you will need to look at volume types to setup volume encryption.
I hope this answers some and puts you on the right path
I must say this good luck on converting existing osd disks to encrypted as the charm will do nothing to existing running osd’s. If it did you would loose all your data.
Hi,
Thanks for this answer but you say that “encrypt” with nova means using dmcrypt for volumes handled by libvirt so, I suppose this also concern “ephemeral” disks used by nova.
So, to some extend, I suppose enabling “encrypt” at the nova level and disabling encryption everywhere else should do the trick or I’m mistaking myself ?
Anyway, I’m still evaluating the feature and I’m not concerned by converting existing volumes to encrypted ones so this is not an issue to me at the moment … but that would be interesting to provide a way to encrypt/decrypt volumes in such situation anyway.
