Volume Encryption
- Sean Matheny (Deactivated)
So we have an encrypted volume feature as an option in our OpenStack cloud that can be used in use cases with highly-sensitive data.
You may need special quota to be able to use this resource-- please email support@cloud.nesi.org.nz if you get an error trying to create an encrypted volume.
Assuming you have quota then, you can try this out at volume creation time. When creating a volume, instead of choosing cep-hdd or ceph-ssd as the volume type, choose ceph-hdd-encrypted or ceph-ssd-encrypted. (Also enter the volume size in GB, and make sure "nova" is chosen for the availability zone).
Then you can use like a normal volume-- attach it to an instance, format it, and mount it (although there could be a performance hit, which I would imagine would be small for most workloads, but interested to hear some user feedback).
If you’d like to instead use an encrypted volume as a root/c: volume
You can choose the image you’d like to use in Compute → Images in the dashboard, and then in the action menu, choose Create Volume. Step through the options to create:
After creating the volume, you can find it in Volumes → Volumes, and from there you can launch a new instance from the action dropdown menu next to it.
How this works with the existing at-rest encryption that is used by default
Basically, our storage cluster has disk-at-rest encryption, so if someone were to pull a disk or a server out from the cluster in the data centre, it would be encrypted. However, hypothetically, if someone gained access to the running storage nodes (with root permissions), he or she could potentially export/dump disk images from ceph and take them, unencrypted.
This volume encryption provides an extra layer of security that stores a secure passkey in the cloud secrets vault, and the volume can't be read without local access and authorisation to that keystore.
Let us know if you have any questions or comments about the above by emailing support@cloud.nesi.org.nz