cinder-specs/specs/untargeted/byok-for-cinder.rst

Support for the "bring your own keys" approach for Cinder

https://blueprints.launchpad.net/cinder/+spec/byok-for-cinder

Cinder currently lags support the API to create a volume with a predefined (e.g. already stored in Barbican) encryption key. This feature would be useful for use cases where end-users should be enabled to store keys later on used to encrypt volumes.

Problem description

Encryption keys are currently generated completely transparent for end-users. Most features are already implemented and tested therefore. What's missing is the possibility to use a user defined key, known as "bring your own keys", for encryption. This may be useful for certain legal requirements or specifications to be fulfilled.

Use Cases

• End users are enabled to manage their own keys
• With proper backups in place data can be recovered even if the key is lost at the deployer
• With trust in the deployer to have a proper KeyManager setup in place data can be securely deleted at any time with deleting the key and volumes attached
• Key management can be enabled with the toolset of the end user in multi cloud use cases

Proposed change

Most peaces are already in place and do not to be changed for that feature to be implemented. The KeyManager implementation holds the key provided by the end user.

• The most visible change is to be able to provide an encryption key ID to create volume.
• cinder.volume.volume_utils.clone_encryption_key() must be used to ensure keys can be deleted when the volume is deleted

Alternatives

The API could be extended to create volumes with given key data. From the developer side difficulties are seen in how keys are managed internally (that's why clone_encryption_key() is used for snapshot based volumes). From the deployers perspective the KeyManager API is hidden from the end user and maybe for specific implementations logs are less detailed if called internally from Cinder.

Data model impact

None

REST API impact

• /v3/{project_id}/volumes
  • Create a volume: POST
  • Normal http response code(s): 202
  • New optional parameter encryption_key_id indicates which encryption key ID from the KeyManager implementation should be used
  • Maybe a new use of response code 409 may be needed if e.g. a encrypted snapshot volume should be copied with a different key

Security impact

No direct security impact changes are connected with the proposed change. For the alternative solution sensitive encryption keys are handled by .Create().

Active/Active HA impact

None

Notifications impact

None

Other end user impact

For python-cinderclient a new optional attribute may be added.

Performance Impact

Encryption key ID lookup will have no significant impact and is already done if e.g. encrypted snapshots are in use.

Other deployer impact

None

Developer impact

None

Implementation

Assignee(s)

nteo

Work Items

• Update /cinder/volume/api.py to accept an encryption key ID. The encryption key ID should be stored in the configured KeyManager (usually Barbican). Based on feedback of the OpenStack community an alternative would be to provide and store the key right away on create.
• clone_encryption_key() of /cinder/volume/volume_utils.py must be used to ensure keys can be deleted when the volume is deleted

Dependencies

No new ones

Testing

Similar to encrypted snapshot handling.

Documentation Impact

The optional new parameter should be listed.

References

• Original research of encryption features<https://input.scs.community/9FbrLgYbT8KFvZGXLzay6Q>
• Spec for supporting image encryption in OpenStack<https://review.opendev.org/q/topic:%22image-encryption%22>