On 30 November 2015 at 16:04, Coffman, Joel M. <joel.coff...@jhuapl.edu> wrote:
> On 11/25/15, 11:33 AM, "Ben Swartzlander" <b...@swartzlander.org> wrote: > > On 11/24/2015 03:27 PM, Nathan Reller wrote: > > Trying to design a system where we expect nova to do data encryption but > not cinder will not work in the long run. The eventual result will be > that nova will have to take on most of the functionality of cinder and > we'll be back to the nova-volume days. > > Could you explain further what you mean by "nova will have to take on most > of the functionality of cinder"? In the current design, Nova is still > passing data blocks to Cinder for storage – they're just encrypted instead > of plaintext. That doesn't seem to subvert the functionality of Cinder or > reimplement it. > The functionality of cinder is more than blindly storing blocks - in particular it has create-from/upload-to image, backup, and retype, all of which do some degree of manipulation of the data and/or volume encryption metadata. We are suffering from somewhat incompatible requirements with encryption between those who want fully functional cinder and encryption on disk (the common case I think), and those who have enhanced security requirements. -- Duncan Thomas
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev