openstack/nova-specs
Code Issues Proposed changes
3d285f2ea4
nova-specs/specs/newton/approved/stop-dmcrypt-on-suspend.rst
Dane Fichter 5fc9fad96d Stop encrypted disk on instance suspend/power off 
Disconnecting dm-crypt device from an encrypted LVM volume while the
instance is suspended or powered off will secure user data from
unauthorized access. This will extend data at-rest protection provided
by the LVM ephemeral storage encryption feature.

Implements: blueprint stop-dmcrypt-on-suspend
SecurityImpact

Previously-approved: mitaka (I32cace0fb5f5ccf12638de4abd527aad5a6ec4ac)

Change-Id: If447521fdd54a5e999a36524b0adb01dd46496fa
2016-04-18 21:48:20 -04:00

134 lines
2.8 KiB
ReStructuredText
Raw Blame History

..
This work is licensed under a Creative Commons Attribution 3.0 Unported
License.
http://creativecommons.org/licenses/by/3.0/legalcode
====================================================================
Stop dm-crypt device when an encrypted instance is suspended/stopped
====================================================================
https://blueprints.launchpad.net/nova/+spec/stop-dmcrypt-on-suspend
Disconnect the dm-crypt device from encrypted LVM volume when an
instance with encrypted LVM ephemeral storage is suspended or powered off.
Problem description
===================
The recently introduced LVM ephemeral storage encryption features secures
user data at rest. Current implementation makes user data unreadable after
the instance has been terminated. While the instance is active (e.g.,
running, paused, suspended or powered off), on the compute host the data is
readable only by the super-user. This protection against unauthorized
access can be strengthened further by disconnecting the dm-crypt device when
an instance is suspended or powered off and flushing the encryption key from
memory. The dm-crypt device is what allows the encrypted data to be
accessed in the clear so disconnecting it will render the data unreadable by
anyone without the key.
Use Cases
---------
An encrypted instance operating on sensitive data is stopped but not destroyed
-- the work to be resumed later.
Proposed change
===============
The change will add code to stop the dm-crypt device and flush the key in
libvirt.driver.power_off() and libvirt.driver.suspend() and code to retrieve
instance ephemeral encryption key and restart the dm-crypt device in
libvirt.driver.power_on() and libvirt.driver.resume().
Alternatives
------------
There is no real alternative.
Data model impact
-----------------
None
REST API impact
---------------
None
Security impact
---------------
User data will be inaccessible to anyone while the instance is powered off or
suspended.
Notifications impact
--------------------
None
Other end user impact
---------------------
None
Performance Impact
------------------
The power on and resume operations will be marginally slower for encrypted
instances.
Other deployer impact
---------------------
None
Developer impact
----------------
None
Implementation
==============
Assignee(s)
-----------
Primary assignee:
dane-fichter (Dane Fichter)
Work Items
----------
* Add dm-crypt stop/restart functionality to suspend()/resume().
* Add dm-crypt stop/restart functionality to power_off()/power_on().
Dependencies
============
None
Testing
=======
Unit tests will be written to verify correct operation of
the proposed feature.
Documentation Impact
====================
The extension of data-at-rest security to powered off and suspended instances
should be mentioned in OpenStack Security Guide.
References
==========
None
View Git Blame Copy Permalink