On Wed, 2013-11-20 at 13:26 +0200, David Hadas wrote: > Hi all, > > We created a wiki page discussing the addition of software side encryption > to Swift: > "The general scheme is to create a swift proxy middleware that will encrypt > and sign the object data during PUT and check the signature + decrypt it > during GET. The target is to create two domains - the user domain between > the client and the middleware where the data is decrypted and the system > domain between the middleware and the data at rest (on the device) where > the data is encrypted. > Design goals include: (1) Extend swift as necessary but without changing > existing swift behaviors and APIs; (2) Support encrypting data incoming > from unchanged clients" > > See: https://wiki.openstack.org/wiki/Swift/server-side-enc > We would like to invite feedback.
Please make sure to have a look at the KDS service proposal and how it deals with encrypting keys for storage. https://review.openstack.org/#/c/37118/ It is abandoned as it has been decided it should be split into its own service rather than live in keystone however the principals won't change much. It handles using a master encryption key to generate a per host key with which it signs and encrypts using the crypto functions that are already in oslo. That part of the code isn't too hard to write on a per use basis but if server side encryption is going to become more widely adopted by projects then I am interested in helping extract this functionality into something generic for OSLO. > DH > > > Regards, > David Hadas, > Openstack Swift ATC, Architect, Master Inventor > IBM Research Labs, Haifa > Tel: Int+972-4-829-6104 > Fax: Int+972-4-829-6112 > > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
