Mirantis Container Cloud (MCC) becomes part of Mirantis OpenStack for Kubernetes (MOSK)!

Starting with MOSK 25.2, the MOSK documentation set will cover all product layers, including MOSK management (formerly MCC). This means everything you need will be in one place. The separate MCC documentation site will be retired, so please update your bookmarks for continued easy access to the latest content.

Enable Cinder volume encryption¶

TechPreview

Note

Consider this section as part of Deploy an OpenStack cluster.

This section instructs you on how to enable Cinder volume encryption through the OpenStackDeployment CR using Linux Unified Key Setup (LUKS) and store the encryption keys in Barbican. For details, see Volume encryption.

To enable Cinder volume encryption:

In the OpenStackDeployment CR, specify the LUKS volume type and configure the required encryption parameters for the storage system to encrypt or decrypt the volume.

The volume_types definition example:

spec:
  services:
    block-storage:
      cinder:
        values:
          bootstrap:
            volume_types:
              volumes-hdd-luks:
                arguments:
                  encryption-cipher: aes-xts-plain64
                  encryption-control-location: front-end
                  encryption-key-size: 256
                  encryption-provider: luks
                volume_backend_name: volumes-hdd

To create an encrypted volume as a non-admin user and store keys in the Barbican storage, assign the creator role to the user since the default Barbican policy allows only the admin or creator role:
```
openstack role add --project <PROJECT-ID> --user <USER-ID> --creator <CREATOR-ID> creator
```

Optional. To define an encrypted volume as a default one, specify volumes-hdd-luks in default_volume_type in the Cinder configuration:

spec:
  services:
    block-storage:
      cinder:
        values:
          conf:
            cinder:
              DEFAULT:
                default_volume_type: volumes-hdd-luks