--- features: - | To support the Block Storage service (Cinder) upload-volume-to-image action when the volume is an encrypted volume type, when such an image is deleted, Glance will now contact the OpenStack Key Management service (Barbican) and request it to delete the associated encryption key. Two extra properties must be set on the image for this to work: ``cinder_encryption_key_id`` (whose value is the identifier in the OpenStack Key Management service for the encryption key used to encrypt the volume) and ``cinder_encryption_key_deletion_policy`` (whose value may be either ``on_image_deletion`` or ``do_not_delete``). Please note the following: * An image created by the Block Storage service will have these properties set automatically, with the deletion policy set to ``on_image_deletion``. * The Block Storage service *always* creates a new secret in Barbican when it uploads a volume as an image, keeping a 1-1 relation between each secret stored in the Key Management Service and each image of an encrypted volume stored in Glance. Thus, deleting the Barbican secret *at the time when the image is deleted* will not cause data loss *as long as the secret is not being used for any other purpose*. * The Block Storage service will not use the secret associated with an image for any other purpose. * If you choose to use the Barbican secret identified by the value of ``cinder_encryption_key_id`` for any other purpose, you risk data loss. * Manual use of the ``cinder_encryption_key_*`` properties is *not* recommended. * If the ``cinder_encryption_key_deletion_policy`` image property is missing or has any value other than ``on_image_deletion``, Glance will **not** attempt to delete the key whose identifier is the value of ``cinder_encryption_key_id``. upgrade: - | The properties ``cinder_encryption_key_id`` and ``cinder_encryption_key_deletion_policy`` have been added to the *common image properties* and appear in the image schema. See the "New Features" section of these notes for information about these image properties.