Validating cinder volume encryption.

asked 2016-04-13 15:38:50 -0600

bdastur gravatar image

updated 2016-04-13 17:10:38 -0600

I have a requirement for having encrypted cinder volumes, I followed the steps as per docs to create a new volume type and then call cinder encryption-type-create.

Here are the steps:

cinder type-create encrypted_vol_2    
cinder encryption-type-create --cipher aes-xts-plain --key_size 512 --control_location front-end encrypted_vol_2 nova.volume.encryptors.luks.LuksEncryptor

I validated new volume creation with the new volume-type and attached the volume to a VM. So just at the surface all the functionality works, but how can I validated if the data is actually getting encrypted.

Just an update on this one. Firstly I forgot to mention that my Cinder deployment is backed by ceph. Secondly, I don't think encryption is working.

What I tried was the following. After attaching the volume to an instance, logged into the VM, then

fdisk /dev/vdd (to create a new partition) echo "This is a new test" >> /dev/vdd

Now using the radoslib API, I directly tried to read the volume data from ceph, and I was able to see the "This is a new test" string

image2 = rbd.Image(ioctx, 'volume-77b4f553-0f6f-47ac-a456-eb2c7b69d933', read_only=True),1024)
"This is a new test\n\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00

\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x00\x00\x00\x00\x00\x00\x00

edit retag flag offensive close merge delete