Video recording and production done by OpenStack Foundation.
Lets encrypt all the things!
Well, lets not, that's silly - but there's a lot of smart things we can encrypt, some of them require shiny hardware but quite a lot can be done through the clever application of existing software.
In this talk Robert proposes a two tiered encryption model to be applied to an OpenStack deployment.
Foundational - Full Disk Encryption. Encrypting everything on disk is non-trivial when managing large datacentres full of gear. In fact the complexity of this task normally makes it prohibative unless using hardware based solutions. At HP we have developed a new way to approach this problem. It makes Linux Full Disk Encryption pretty painless, scales beautifully and finally does away with retroactive "Log in and type the key" type systems that are just plain horrible. We will peak beneath the covers of this solution and share the code with the community so that we can all deploy full disk encryption at scale in a reliable and safe way.
OpenStack Native - Cinder, Nova and Swift all have native encryption capabilities in the pipeline. During this section of the talk we review their progress and discuss when they can be integrated into running prouction clouds to create a multi-layered encrypted cloud.
Combining these technologies protects everything on disk from accidental loss or compromise while also cryptographically separating tenant data on disk - both have been strong asks for OpenStack for a long time.
In addition, we will introduce Project Marshal.
Project Marshal is an open source implementation of an agent that provides the missing piece of the puzzle for volume encryption. Using the Barbican client API, it allows running virtual machines to access secrets stored in Barbican to use encrypted volumes with tenant managed keys.
- What is project “Marshal”?
- What are its features, claims, and roadmap?
- Where can I get the code?
- How can I help set priorities and contribute to Marshal?