11 Encryption of Ephemeral Volumes #
By default, ephemeral volumes are not encrypted. If you wish to enable this feature, you should use the following steps.
For more details about this feature, see Ephemeral storage encryption for LVM backend.
11.1 Enabling ephemeral volume encryption #
Before deploying the Compute nodes you will need to change the disk
configuration to create a new volume-group
which will be
used for your ephemeral disks. To do this, following these steps:
Log in to the Cloud Lifecycle Manager.
Add details about the volume-group you will be using for your encrypted volumes. You have two options for this, you can either create a new volume-group or add the details for an already existing volume-group.
To create a new volume-group, add the following lines to your Compute disk configuration file.
The location of the Compute disk configuration file is:
~/openstack/my_cloud/definition/data/disks_compute.yml
name: vg-comp physical-volumes: - /dev/sdb
To utilize an existing volume-group you can add the following lines to your
nova.conf
file, using the name of your volume-group:[libvirt] images_type = lvm images_volume_group = <volume_group_name>
NoteThe requirement here is to have free space available on a
volume-group
. The correct disk to use and the name for the volume group will depend on your environment's needs.Modify the
nova.conf
file for the Compute and API nodes. Verify that the following entries exist, if they do not then add them and then restart thenova-compute
andnova-api
services:[libvirt] images_type = lvm images_volume_group = vg-comp [ephemeral_storage_encryption] key_size = 256 cipher = aes-xts-plain64 enabled = True [keymgr] api_class = nova.keymgr.barbican.barbicanKeyManager [barbican] endpoint_template = https://192.168.245.9:9311/v1
To restart the services, use the following commands:
sudo systemctl restart nova-compute sudo systemctl restart nova-api
Assign the role in keystone using the CLI tool. Using the openstack client you can assign the user
key-manager:creator
role for the project.Boot an instance with an ephermal disk and verify that the disk is encrypted. Once the instance is active it is possible to check on the Compute node if the ephermal disk is encrypted.
SSH into the Compute node then run the following commands:
sudo dmsetup status cryptsetup -v status <name_of_ephemeral_disk>