Enable Cinder volume encryption¶

TechPreview

Note

Consider this section as part of Deploy an OpenStack cluster.

This section instructs you on how to enable Cinder volume encryption through the OpenStackDeployment CR using Linux Unified Key Setup (LUKS) and store the encryption keys in Barbican. For details, see Volume encryption.

To enable Cinder volume encryption:

In the OpenStackDeployment CR, specify the LUKS volume type and configure the required encryption parameters for the storage system to encrypt or decrypt the volume.

The volume_types definition example:

spec:
  services:
    block-storage:
      cinder:
        values:
          bootstrap:
            volume_types:
              volumes-hdd-luks:
                arguments:
                  encryption-cipher: aes-xts-plain64
                  encryption-control-location: front-end
                  encryption-key-size: 256
                  encryption-provider: luks
                volume_backend_name: volumes-hdd

To create an encrypted volume as a non-admin user and store keys in the Barbican storage, assign the creator role to the user since the default Barbican policy allows only the admin or creator role:
```
openstack role add --project <PROJECT-ID> --user <USER-ID> --creator <CREATOR-ID> creator
```

Optional. To define an encrypted volume as a default one, specify volumes-hdd-luks in default_volume_type in the Cinder configuration:

spec:
  services:
    block-storage:
      cinder:
        values:
          conf:
            cinder:
              DEFAULT:
                default_volume_type: volumes-hdd-luks