By default, ephemeral volumes are not encrypted. If you wish to enable this feature, you should use the following steps.
Before deploying the Compute nodes you will need to change the disk
configuration to create a new volume-group
which will be
used for your ephemeral disks. To do this, following these steps:
Log in to the Cloud Lifecycle Manager.
Add details about the volume-group you will be using for your encrypted volumes. You have two options for this, you can either create a new volume-group or add the details for an already existing volume-group.
To create a new volume-group, add the following lines to your Compute disk configuration file.
The location of the Compute disk configuration file is:
~/openstack/my_cloud/definition/data/disks_compute.yml
name: vg-comp physical-volumes: - /dev/sdb
To utilize an existing volume-group you can add the following lines to
your nova.conf
file, using the name of your
volume-group:
[libvirt] images_type = lvm images_volume_group = <volume_group_name>
The requirement here is to have free space available on a
volume-group
. The correct disk to use and the name for
the volume group will depend on your environment's needs.
Modify the nova.conf
file for the Compute and API
nodes. Verify that the following entries exist, if they do not then add
them and then restart the nova-compute
and
nova-api
services:
[libvirt] images_type = lvm images_volume_group = vg-comp [ephemeral_storage_encryption] key_size = 256 cipher = aes-xts-plain64 enabled = True [keymgr] api_class = nova.keymgr.barbican.BarbicanKeyManager [barbican] endpoint_template = https://192.168.245.9:9311/v1
To restart the services, use the following commands:
sudo systemctl restart nova-compute sudo systemctl restart nova-api
Assign the role in Keystone using the CLI tool. Using the openstack client
you can assign the user key-manager:creator
role for
the project.
Boot an instance with an ephermal disk and verify that the disk is encrypted. Once the instance is active it is possible to check on the Compute node if the ephermal disk is encrypted.
SSH into the Compute node then run the following commands:
sudo dmsetup status cryptsetup -v status <name_of_ephemeral_disk>