Hi Kris, I came across that as well and I believe it has been fixed and ensures existing volumes are accessible:
https://github.com/openstack/nova/blob/8c3f775743914fe083371a31433ef5563015b029/releasenotes/notes/bug-1633518-0646722faac1a4b9.yaml Definitely worthwhile to bring up :) Joe On Mon, Jan 23, 2017 at 12:53 PM, Kris G. Lindgren <klindg...@godaddy.com> wrote: > Slightly off topic, > > > > But I remember a discussion involving encrypted volumes and nova(?) and > there was an issue where an issue/bug where nova was using the wrong key – > like it got hashed wrong and was using the badly hashed key/password vs’s > what was configured. > > > > > > ___________________________________________________________________ > > Kris Lindgren > > Senior Linux Systems Engineer > > GoDaddy > > > > *From: *Joe Topjian <j...@topjian.net> > *Date: *Monday, January 23, 2017 at 12:41 PM > *To: *"openstack-operators@lists.openstack.org" < > openstack-operators@lists.openstack.org> > *Subject: *[Openstack-operators] Encrypted Cinder Volume Deployment > > > > Hi all, > > > > I'm investigating the options for configuring Cinder with encrypted > volumes and have a few questions. > > > > The Cinder environment is currently running Kilo which will be upgraded to > something between M-O later this year. The Kilo release supports the > fixed_key setting. I see fixed_key is still supported, but has been > abstracted into Castellan. > > > > Question: If I configure Kilo with a fixed key, will existing volumes > still be able to work with that same fixed key in an M, N, O release? > > > > Next, fixed_key is discouraged because of it being a single key for all > tenants. My understanding is that Barbican provides a way for each tenant > to generate their own key. > > > > Question: If I deploy with fixed_key (either now or in a later release), > can I move from a master key to Barbican without bricking all existing > volumes? > > > > Are there any other issues to be aware of? I've done a bunch of Googling > and searching on bugs.launchpad.net and am pretty satisfied with the > current state of support. My intention is to provide users with simple > native encrypted volume support - not so much supporting uploaded volumes, > bootable volumes, etc. > > > > But what I want to make sure of is that I'm not in a position where in > order to upgrade, a bunch of volumes become irrecoverable. > > > > Thanks, > > Joe >
_______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators