EncryptionInOpenstack

= Encryption in OpenStack = Just some notes and bits 'n' bobs I have gathered on various encryption efforts in various projects. Ultimately this page would like to become a reasonable overview of encryption usage as it develops across OpenStack. Please edit and extend this as desired.

Nova Ephemeral
(The disks Nova creates that live on the compute node)

Summary:
Work is progressing, Barbican keymanager integration has now been accepted and merged.

Link(s) to relevant blueprints:

 * https://blueprints.launchpad.net/nova/+spec/encryption-with-barbican Nova key manager with Barbican.
 * https://blueprints.launchpad.net/nova/+spec/encryption-with-barbican Barbican key manager.
 * https://blueprints.launchpad.net/nova/+spec/encrypt-ephemeral-storage-ecryptfs work to add eCryptfs.

Link(s) to relevant reviews:

 * https://review.openstack.org/#/c/40467/ - Adds ephemeral storage encryption for LVM backend, merged.
 * https://review.openstack.org/#/c/104001/ - Adds Barbican key manager wrapper
 * https://review.openstack.org/#/c/30973/ - adds key manager, merged

One line summary:
Encryption for cinder volumes was added during Havana, but not integrated into Horizon. This has initial Barbican integration for key management.

Link(s) to relevant blueprints:

 * https://blueprints.launchpad.net/horizon/+spec/integration-with-cinder-volume-encryption

Link(s) to relevant reviews:

 * https://review.openstack.org/#/c/104339/ - Adds Barbican key manager, merged.
 * https://review.openstack.org/#/c/39292/ - Key manager interface. Merged.
 * https://review.openstack.org/#/c/71125/ - Adds encrypted volume indicator to horizon, merged.
 * https://review.openstack.org/#/c/57715/ - Horizon support for Cinder volume type encryption
 * https://review.openstack.org/#/c/72024/ - Update and delete for Cinder volume type encryption
 * https://review.openstack.org/#/c/57715/ - Add encryption type update to cinder client

One line summary:
Lots of discussions going on and spec work at the moment.

Link(s) to relevant blueprints:

 * https://blueprints.launchpad.net/swift/+spec/encrypted-objects
 * https://blueprints.launchpad.net/swift/+spec/swift-enc-proxy

Link(s) to relevant reviews:

 * Spec: https://review.openstack.org/#/c/123220/
 * Code: https://review.openstack.org/#/c/122773/

One line summary:
Nothing that I could find.

Notes:
Glance seems to have no encryption specific stuff. It may get this from swift containers though once Swift's encryption efforts develop.

Other Stuff

 * Barbican use in LBaaS from Neutron: https://blueprints.launchpad.net/neutron/+spec/lbaas-ssl-termination