Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / Documentation / Security Guide / Encryption of Ephemeral Volumes
Applies to SUSE OpenStack Cloud 9

11 Encryption of Ephemeral Volumes

By default, ephemeral volumes are not encrypted. If you wish to enable this feature, you should use the following steps.

Note
Note

For more details about this feature, see Ephemeral storage encryption for LVM backend.

11.1 Enabling ephemeral volume encryption

Before deploying the Compute nodes you will need to change the disk configuration to create a new volume-group which will be used for your ephemeral disks. To do this, following these steps:

  1. Log in to the Cloud Lifecycle Manager.

  2. Add details about the volume-group you will be using for your encrypted volumes. You have two options for this, you can either create a new volume-group or add the details for an already existing volume-group.

    1. To create a new volume-group, add the following lines to your Compute disk configuration file.

      The location of the Compute disk configuration file is:

      ~/openstack/my_cloud/definition/data/disks_compute.yml
      name: vg-comp
             physical-volumes:
               - /dev/sdb
    2. To utilize an existing volume-group you can add the following lines to your nova.conf file, using the name of your volume-group:

      [libvirt]
      images_type = lvm
      images_volume_group = <volume_group_name>
    Note
    Note

    The requirement here is to have free space available on a volume-group. The correct disk to use and the name for the volume group will depend on your environment's needs.

  3. Modify the nova.conf file for the Compute and API nodes. Verify that the following entries exist, if they do not then add them and then restart the nova-compute and nova-api services:

    [libvirt]
    images_type = lvm
    images_volume_group = vg-comp
    
    [ephemeral_storage_encryption]
    key_size = 256
    cipher = aes-xts-plain64
    enabled = True
    
    [keymgr]
    api_class = nova.keymgr.barbican.barbicanKeyManager
    
    [barbican]
    endpoint_template = https://192.168.245.9:9311/v1

    To restart the services, use the following commands:

    sudo systemctl restart nova-compute
    sudo systemctl restart nova-api
  4. Assign the role in keystone using the CLI tool. Using the openstack client you can assign the user key-manager:creator role for the project.

  5. Boot an instance with an ephermal disk and verify that the disk is encrypted. Once the instance is active it is possible to check on the Compute node if the ephermal disk is encrypted.

    SSH into the Compute node then run the following commands:

    sudo dmsetup status
    cryptsetup -v status <name_of_ephemeral_disk>