Block Storage service¶
Available since MOS 21.5 TechPreview
The OpenStack Block Storage service (Cinder) supports volume encryption using a key stored in the OpenStack Key Manager service (Barbican). Such configuration uses Linux Unified Key Setup (LUKS) to create an encrypted volume type and attach it to the OpenStack Compute (Nova) instances. Nova retrieves the asymmetric key from Barbican and stores it on the OpenStack compute node as a libvirt key to encrypt the volume locally or on the back end and only after that transfers it to Cinder.
To create an encrypted volume under a non-admin user, the
creatorrole must be assigned to the user.
When planning your cloud, consider that encryption may impact CPU.