openstack/glance-specs
Code Issues Proposed changes

Update image encryption spec

Browse Source 
For raw and gpt images the disk_format of encrypted images should
be set to the main encryption-mechanism. The os_encrypt_format should
state the specific version: e.g. LUKSv1. The original disk format
will now be stated in the os_decrypt_format parameter.

For qcow2 images the disk_format will stay qcow2.

Change-Id: I4766c4904d927216fee9f1f3f7356fcededd3e7e
This commit is contained in:
Josephine Seifert 2024-09-03 15:18:42 +02:00 committed by Pranali Deore
parent fbf0860595
commit 1386be3a33
1 changed files with 15 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
specs/2024.2/approved/glance/standardized_image_encryption.rst → specs/2025.1/approved/glance/standardized_image_encryption.rst
View File

@ -82,11 +82,21 @@ Use Cases
Proposed change
===============
There are two ways encryption in images can be handled. The first is having a
qcow2 formatted disk with an internal encryption. The 'disk_format' for such an
image will consequently be 'qcow2' and the encryption can be detected through
the presence of the proposed additional metadata.
For other images the 'disk_format' will be used to indicate the encryption. It
should state the main encryption mechanism used, which for now is 'luks'. We
additionally assume that the format of a decrypted LUKS-image will always be
'raw'. The format can only be checked after a decryption of at least the first
few bytes this is currently out of scope for Glance. Every service, that uses
such encrypted LUKS-images needs to be aware of it.
Furthermore, we propose the following additional metadata properties carried by
images of this format:
* 'os_encrypt_format' - the main mechanism used, e.g. 'LUKS'
* 'os_encrypt_cipher' - the cipher algorithm, e.g. 'AES256'
* 'os_encrypt_format' - the specific mechanism used, e.g. 'LUKSv1'
* 'os_encrypt_key_id' - reference to key in the key manager
* 'os_encrypt_key_deletion_policy' - on image deletion indicates whether the
key should be deleted too
@ -94,9 +104,6 @@ images of this format:
'bare'
* 'os_decrypt_size' - size after payload decryption
The 'disk_format' of images, that will be used by Nova and Cinder are either
'qcow2' or 'raw'.
To upload an encrypted image to Glance we want to extend the OpenStack Client
to allow the specification of the necessary metadata properties as the key ID
and the encryption and optionally metadata properties as for example the
@ -216,9 +223,9 @@ Example request:
```
REQ: curl -g -i -X POST
http://a.b.c.d/image/v2/images -H "Content-Type: application/json" .... -d '
{"disk_format": "raw", "name": "cirros", "container_format": "compressed",
"os_encrypt_format": "LUKS", "os_encrypt_key_id": "...",
"os_encrypt_key_deletion_policy": "True", "os_encrypt_cipher": "...",
{"disk_format": "LUKS", "name": "cirros", "container_format": "compressed",
"os_encrypt_format": "LUKSv1", "os_encrypt_key_id": "...",
"os_encrypt_key_deletion_policy": "True", "os_decrypt_format": "raw",
"os_decrypt_container_format": "bare", "os_decrypt_size": "...", ...}'
```