Merge "spec: encryption at rest"

2018-05-15 10:43:07 +00:00 · 2018-05-15 10:43:07 +00:00 · 2d93253242
commit 2d93253242
parent 0691b542be 98bdeeb558
1 changed files with 338 additions and 0 deletions
--- a/specs/rocky/approved/encryption-at-rest.rst
+++ b/specs/rocky/approved/encryption-at-rest.rst
@ -0,0 +1,338 @@
+..
+  Copyright 2018, Canonical Ltd.
+
+  This work is licensed under a Creative Commons Attribution 3.0
+  Unported License.
+  http://creativecommons.org/licenses/by/3.0/legalcode
+
+..
+  This template should be in ReSTructured text. Please do not delete
+  any of the sections in this template.  If you have nothing to say
+  for a whole section, just write: "None". For help with syntax, see
+  http://sphinx-doc.org/rest.html To test out your formatting, see
+  http://www.tele3.cz/jbar/rest/rest.html
+
+======================
+Encrypted Data at Rest
+======================
+
+Problem Description
+===================
+
+OpenStack Clouds provide a number of different types of storage to Cloud users,
+including instance ephemeral disks (typically attached to hypervisors), Cinder
+block devices (typically backed by some sort of storage solution such as Ceph)
+and Swift object storage.
+
+By default the data residing on such virtual devices is unencrypted; regulation
+such as PCI-DSS and GPDR+ require that data at rest is stored encrypted,
+so that if devices are removed from the data center, the data on them cannot
+be recovered without access to the appropriate encryption keys.
+
+Proposed Change
+===============
+
+Underlying storage devices will be protected using dm-crypt/LUKS with encryption
+keys stored directly in Hashicorp Vault. No local copy of the key is made during
+the encryption process or the decryption process on boot.
+
+A new tool 'vaultlocker' will be used to LUKS format block devices, directly
+storing encryption keys in Vault.  Keys are referenced using the UUID of the
+underlying block device (which is generated as the disk is prepared for use).
+
+On (re)boot, a vaultlocker-decrypt systemd unit will execute for each encrypted
+block device, retrieving the encryption key from Vault and opening the LUKS
+formatted block device ready for use.
+
+vaultlocker will access vault over https using an approle issued as part of the
+deployment process; the approle will be passed from vault to the consuming
+service via a charm relation and will be scoped for access from units
+participating in the relation to vault.
+
+The approle will be specific to each unit participating in the relation, with
+a policy that only permits read/write/delete/update/list to:
+
+    <kv-backend>/<hostname>/*
+
+from the provided network address of the unit.  Approles for other units will
+be visible in the relation data, but will not be usable as the CIDR ACL will
+not permit access.
+
+In addition to the unit specific approle, and limitation of access to the /32
+of the unit, a secret_id will also be used to authenticate use of the approle.
+
+The secret_id will not be passed over the relation from the vault charm to the
+consuming application. Instead the vault charm will generate a secret_id and
+wrap it using Vault's response wrapping feature.  The resulting one-shot token
+will be passed over the relation to the consuming application unit, which can
+then use the token to pull the secret_id directly from Vault.  This ensures
+that the secret_id is only known to Vault and the consuming application unit.
+
+The one-shot token has a ttl of 1h (allowing for complex deployment with large
+numbers of hook executions to complete on converged hypervisor/storage
+machines).
+
+The initial scope of support will include:
+
+- ceph-osd: OSD device encryption.
+- swift-storage: Block device encryption.
+- nova-compute: Ephemeral storage block device encryption; note that this
+  requires that hypervisors are configured with a specific set of storage
+  devices for use by Nova for ephemeral block devices for instances.
+
+block device preparation
+------------------------
+
+The encrypted block device  will be labelled with a UUID generated by the
+charmhelper.  This UUID will be used during encryption and during decryption
+during server reboots.
+
+The device  will be encrypted with key storage in Vault using:
+
+.. code-block:: bash
+
+    vaultlocker encrypt --uuid $UUID $BLOCK_DEVICE
+
+The resulting dm-crypt block device will be opened ready for use.
+
+swift-storage and nova-compute
+------------------------------
+
+Block devices will be prepared inline with "block device preparation"; existing
+fstab management by the charm will be updated to use `/dev/mapper/crypt-<UUID>`
+entries with a x-systemd.requires option - for example:
+
+.. code-block:: bash
+
+    /dev/mapper/crypt-$UUID  /mnt auto defaults,x-systemd.requires=vaultlocker-decrypt@$UUID.service,comment=vaultlocker 0 2
+
+This ensures that the vaultlocker-decrypt task has completed prior to the mount
+of the mapper device being attempted.
+
+ceph-osd/ceph-volume
+--------------------
+
+Integration into the ceph-osd charm requires the charm to switch to using the
+new ceph-volume tool to manage the creation and activation of OSD's.  This
+requires that the block device be prepared with LVM volumes before passing to
+ceph-volume; to mirror existing ceph-disk functionality:
+
+filestore
+~~~~~~~~~
+
+Use block device for journal and data; journal lv (osd-journal-<OSD-FSID>)
+created on vg ceph-<OSD-FSID> using configured journal size, data lv
+(osd-data-<OSD-FSID) created on vg ceph-<OSD-FSID> using remaining capacity.
+
+.. code-block:: bash
+
+    pv /dev/sdb
+      vg /dev/ceph-<OSD-FSID>
+        lv /dev/ceph-<OSD-FSID/osd-journal-<OSD-FSID>
+        lv /dev/ceph-<OSD-FSID/osd-data-<OSD-FSID>
+
+Use separate device for journal; journal lv (osd-journal-<OSD-FSID>) created
+on vg ceph-journal-<UUID> of a journal device using configured journal size;
+data lv (osd-data-<OSD-FSID) created on ceph-<OSD-FSID> of data device
+using 100% of capacity.
+
+.. code-block:: bash
+
+    pv /dev/sdb
+      vg /dev/ceph-<OSD-FSID>
+        lv /dev/ceph-<OSD-FSID/osd-data-<OSD-FSID>
+    pv /dev/sdg
+      vg /dev/ceph-journal-<UUID>
+        lv /dev/ceph-journal-<UUID>/osd-journal-<OSD-FSID>
+
+bluestore
+~~~~~~~~~
+
+Bluestore is simpler in that there is no journal so a single logical volume
+will be created on ceph-<OSD-FSID> of the provided disk:
+
+.. code-block:: bash
+
+    pv /dev/sdb
+      vg /dev/ceph-<OSD-FSID>
+        lv /dev/ceph-<OSD-FSID/osd-block-<OSD-FSID>
+
+The Bluestore DB and WAL volumes may be optionally stored on separate
+devices again using a logical volume of the configured/default size on vg
+ceph-{db,wal}-<UUID>.
+
+.. code-block:: bash
+
+    pv /dev/sdb
+      vg /dev/ceph-<OSD-FSID>
+        lv /dev/ceph-<OSD-FSID/osd-block-<OSD-FSID>
+    pv /dev/sdg
+      vg /dev/ceph-db-<UUID>
+        lv /dev/ceph-db-<UUID>/osd-db-<OSD-FSID>
+    pv /dev/sdh
+      vg /dev/ceph-wal-<UUID>
+        lv /dev/ceph-wal-<UUID>/osd-wal-<OSD-FSID>
+
+Note that ceph-volume is only provided with Ceph Luminous or later releases;
+as a result encryption under Ceph Jewel is explicitly excluded from the scope
+of this specification.
+
+Alternatives
+------------
+
+ceph
+~~~~
+
+Use of native suppport in Ceph for OSD encryption; discounted as it makes use
+of the ceph-mon cluster for key storage - keys are not sharded and deployments
+typically place ceph-mon units alongside ceph-osd units so its possible that
+the encryption keys might directly reside on the same server as encrypted
+Ceph OSD block devices.
+
+.. note::
+
+    The ceph-osd charm already supports native Ceph block device
+    encryption using ceph-disk/ceph-volume via the osd-encrypt option.
+
+Support for use of vault could be added to ceph-volume; however due to the
+requirement to support existing Ceph releases (>= Luminous) this option
+is discounted in the short term but may be considered in the long term if
+support lands into Ceph upstream.
+
+cinder
+~~~~~~
+
+Cinder has native support for block device encryption using LUKS; keys are
+stored using Barbican which relies on HSM's implementing PKCS#11 of KMIP to
+be considered secure.  This would provide the required level of encryption
+support for Cinder block devices however does require use of a hardware
+based security module (Barbican does not have Vault support).
+
+nova
+~~~~
+
+Nova has native support for encryption of ephemeral disks if using an LVM
+backend for storage; again keys are stored in barbican, requiring use of a
+HSM or implementation of support for a suitable Software Security Module in
+Barbican.  Use of this option is also limited to LVM storage only.
+
+swift
+~~~~~
+
+Swift has no native encryption support so no alternatives considered for this
+part of the problem domain.
+
+Implementation
+==============
+
+Assignee(s)
+-----------
+
+Primary assignee:
+
+    james-page
+
+Gerrit Topic
+------------
+
+Use Gerrit topic "vaultlocker" for all patches related to this spec.
+
+.. code-block:: bash
+
+    git-review -t vaultlocker
+
+Work Items
+----------
+
+vaultlocker
+~~~~~~~~~~~
+
+- base codebase (support for encrypt/decrypt)
+- unit tests
+- functional tests
+
+QA
+~~
+
+- mojo specification to validate encryption-at-rest support
+
+Docs
+~~~~
+
+- example bundle + documentation for encryption-at-rest
+- appendix for deployment guide on usage and security considerations
+
+charmhelpers
+~~~~~~~~~~~~
+
+- block device encryption helper
+
+ceph-osd
+~~~~~~~~
+
+- add support for use of ceph-volume >= Luminous
+- enable support for block device encryption using vaultlocker
+- add relation to vault
+
+swift-storage
+~~~~~~~~~~~~~
+
+- enable support for block device encryption using vaultlocker
+- add relation to vault
+
+nova-compute
+~~~~~~~~~~~~
+
+- enable support for block device encryption using vaultlocker
+- add relation to vault
+
+Repositories
+------------
+
+A new repository will be required for vaultlocker.
+
+Documentation
+-------------
+
+Documentation will be provided as part of the ceph-osd, swift-storage
+and nova-compute charms.
+
+An additional appendix will be added to the charm deployment guide to
+cover encryption at rest.
+
+Security
+--------
+
+As this solution covers the security of encryption keys used to secure
+block devices from unauthorized removal there are multiple security
+concerns to address.
+
+Communication with Vault will be done over a TLS encrypted connection
+using an AppRole (without a secret_id) for authentication which will be
+delivered to the consuming charm over a charm relation; connectivity with
+Juju also TLS encrypted so the potential for interception of the AppRole
+is limited.
+
+The secret_id for the unit to use with the AppRole is passed out-of-band
+of Juju - a one-shot token is passed over the vault-kv relation, which
+can only be used by the consuming unit to retrieve the generated
+secret_id for the AppRole.  The token has a 1hr TTL and is CIDR limited
+in the same way as the AppRole.
+
+Encryption keys will be stored under a Vault path specific to the AppRole.
+The Vault AppRole will limit access to the secrets backend based on the
+CIDR of the accessing servers.
+
+Testing
+-------
+
+Functionality will be validated by unit and functional tests within
+each component.
+
+Overall solution function will be validated using a Mojo spec.
+
+Dependencies
+============
+
+- Production grade vault charm.
+- AppRole interface to vault charm.