189a1096da
Assist users who are switching from the legacy ConfKeyManager to Barbican by automatically migrating any existing keys. Key migration is executed in its own thread spawned on cinder-volume startup. Two factors are used to determine whether existing keys need to be migrated. 1) The ConfKeyManager's fixed_key config value is set (not None). This indicates volumes may exist that were encrypted using the ConfKeyManager. 2) Barbican is the current key manager. When the both conditions are met, each instance of the cinder-volume service scans its volumes in the database, looking for volumes using the ConfKeyManager's all-zeros encryption key ID. If a volume has an all-zeros key ID, the same secret (derived from the fixed_key) is stored in Barbican, and all database references to that volume's key ID are replaced with the new Barbican key ID. Implements: blueprint migrate-fixed-key-to-barbican Change-Id: Ic70f45762cf4e426c222415e49b947a328282ca0
14 lines
676 B
YAML
14 lines
676 B
YAML
---
|
|
features:
|
|
- |
|
|
When Barbican is the encryption key_manager backend, any encryption keys
|
|
associated with the legacy ConfKeyManager will be automatically migrated
|
|
to Barbican. All database references to the ConfKeyManager's all-zeros key
|
|
ID will be updated with a Barbican key ID. The encryption keys do not
|
|
change. Only the encryption key ID changes.
|
|
|
|
Key migration is initiated on service startup, and entries in the
|
|
cinder-volume log will indicate the migration status. Log entries will
|
|
indicate when a volume's encryption key ID has been migrated to Barbican,
|
|
and a summary log message will indicate when key migration has finished.
|