189a1096da
Assist users who are switching from the legacy ConfKeyManager to Barbican by automatically migrating any existing keys. Key migration is executed in its own thread spawned on cinder-volume startup. Two factors are used to determine whether existing keys need to be migrated. 1) The ConfKeyManager's fixed_key config value is set (not None). This indicates volumes may exist that were encrypted using the ConfKeyManager. 2) Barbican is the current key manager. When the both conditions are met, each instance of the cinder-volume service scans its volumes in the database, looking for volumes using the ConfKeyManager's all-zeros encryption key ID. If a volume has an all-zeros key ID, the same secret (derived from the fixed_key) is stored in Barbican, and all database references to that volume's key ID are replaced with the new Barbican key ID. Implements: blueprint migrate-fixed-key-to-barbican Change-Id: Ic70f45762cf4e426c222415e49b947a328282ca0 |
||
|---|---|---|
| .. | ||
| __init__.py | ||
| fake.py | ||
| test_conf_key_mgr.py | ||
| test_migration.py | ||