Enable Cinder volume encryption¶
TechPreview
Note
Consider this section as part of Deploy an OpenStack cluster.
This section instructs you on how to enable Cinder volume encryption
through the OpenStackDeployment
CR using Linux Unified Key Setup (LUKS)
and store the encryption keys in Barbican. For details, see
Volume encryption.
To enable Cinder volume encryption:
In the
OpenStackDeployment
CR, specify the LUKS volume type and configure the required encryption parameters for the storage system to encrypt or decrypt the volume.The
volume_types
definition example:spec: services: block-storage: cinder: values: bootstrap: volume_types: volumes-hdd-luks: arguments: encryption-cipher: aes-xts-plain64 encryption-control-location: front-end encryption-key-size: 256 encryption-provider: luks volume_backend_name: volumes-hdd
To create an encrypted volume as a non-admin user and store keys in the Barbican storage, assign the
creator
role to the user since the default Barbican policy allows only theadmin
orcreator
role:openstack role add --project <PROJECT-ID> --user <USER-ID> --creator <CREATOR-ID> creator
Optional. To define an encrypted volume as a default one, specify
volumes-hdd-luks
indefault_volume_type
in the Cinder configuration:spec: services: block-storage: cinder: values: conf: cinder: DEFAULT: default_volume_type: volumes-hdd-luks