Validating cinder volume encryption.
I have a requirement for having encrypted cinder volumes, I followed the steps as per docs to create a new volume type and then call cinder encryption-type-create.
Here are the steps:
cinder type-create encrypted_vol_2
cinder encryption-type-create --cipher aes-xts-plain --key_size 512 --control_location front-end encrypted_vol_2 nova.volume.encryptors.luks.LuksEncryptor
I validated new volume creation with the new volume-type and attached the volume to a VM. So just at the surface all the functionality works, but how can I validated if the data is actually getting encrypted.
Just an update on this one. Firstly I forgot to mention that my Cinder deployment is backed by ceph. Secondly, I don't think encryption is working.
What I tried was the following. After attaching the volume to an instance, logged into the VM, then
fdisk /dev/vdd (to create a new partition) echo "This is a new test" >> /dev/vdd
Now using the radoslib API, I directly tried to read the volume data from ceph, and I was able to see the "This is a new test" string
image2 = rbd.Image(ioctx, 'volume-77b4f553-0f6f-47ac-a456-eb2c7b69d933', read_only=True)
image2.read(0,1024)
"This is a new test\n\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x00\x00\x00\x00\x00\x00\x00