Adding library for encryption and decryption
This Spec describes a library oslo.encrypt for encryption and decryption of large files. For the contribution of Image Encryption it is necessary to have a library for the encryption of decryption of large binary files, so the code can be used by projects, which want tu encrypt or decrypt images. Change-Id: Id4ca0b3bf23d3d76484822d2ade27bf3c444afb0 Co-Authored-By: Markus Hentsch <markus.hentsch@secustack.com>
This commit is contained in:
parent
4c9945ef6e
commit
8a3b75676c
|
@ -0,0 +1,115 @@
|
|||
====================================
|
||||
Proposed new library oslo.encrypt
|
||||
====================================
|
||||
|
||||
This library should be used to encrypt or decrypt large binary data and files.
|
||||
|
||||
Proposed library mission
|
||||
=========================
|
||||
|
||||
A library is needed for the encryption and decryption of data and files, for
|
||||
example to allow the encryption of Glance images. It should consist of a
|
||||
suitable class hierarchy allowing for different implementations in a
|
||||
driver-like manner, each implementing methods to encrypt and decrypt data
|
||||
using a specific cipher (encryption drivers).
|
||||
|
||||
The library should define an abstract base class for implementations and
|
||||
supply a sample encryption driver using GPG as proposed for image encryption.
|
||||
Furthermore the library should also provide a public method to retrieve the
|
||||
encryption driver for a given set of cipher specifications (cipher algorithm,
|
||||
type, format), so that components consuming this library can use it without
|
||||
having to enumerate all available implementations.
|
||||
|
||||
Consuming projects
|
||||
==================
|
||||
|
||||
It will be used for the encryption and decryption of images in Nova [2] and
|
||||
Cinder [3] as well as in the openstackclient. Later on, all additional
|
||||
projects which add support for encrypted images may start using this library
|
||||
as well (e.g. Ironic).
|
||||
|
||||
Alternatives library
|
||||
====================
|
||||
|
||||
There aren't any libraries used for encryption and decrpytion methods in
|
||||
OpenStack yet. So we had to consider where this would fit best, which partly
|
||||
happened in a dedicated etherpad [1].
|
||||
|
||||
One option would have been writing an independent library like cursive or
|
||||
os_brick or use cursive right away. But those libraries tend to become
|
||||
unmainted. Using another library like cursive would also bring in additional
|
||||
dependencies, which might be a problem for certain projects like
|
||||
openstackclient.
|
||||
|
||||
Another option was to use openstacksdk, but for every other project than the
|
||||
openstackclient, this wasn't anything the corresponding team would have liked
|
||||
to add as a dependency.
|
||||
|
||||
Proposed adoption model/plan
|
||||
============================
|
||||
|
||||
The library will be incorporated by the core services Nova and Cinder as well
|
||||
as the openstackclient as soon as image encryption is added to each of them.
|
||||
As the support for image encryption expands, further services may start
|
||||
incorporating the library in the future. Reviewer activity
|
||||
=================
|
||||
|
||||
As this library is designed for cryptographic operations the team to review
|
||||
should be the same as Castellan, which is at this point basically the same as
|
||||
in Barbican and the Security SIG.
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Author(s)
|
||||
---------
|
||||
|
||||
Primary authors:
|
||||
Markus Hentsch (mhen)
|
||||
Josephine Seifert (Luzi)
|
||||
|
||||
Other contributors:
|
||||
None
|
||||
|
||||
Work Items
|
||||
----------
|
||||
|
||||
* Create a new library called oslo.encrypt
|
||||
|
||||
* Gather core team - which would most likely be the Castellan core team
|
||||
|
||||
* Implement base class and GPG encryption driver
|
||||
|
||||
* Implement driver selection method
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
Original library discussion etherpad:
|
||||
|
||||
[1]
|
||||
https://etherpad.openstack.org/p/library-for-image-encryption-and-decryption
|
||||
|
||||
Image Encryption Specs:
|
||||
|
||||
[2] Nova-Spec: https://review.openstack.org/#/c/608696/
|
||||
|
||||
[3] Cinder Spec: https://review.openstack.org/#/c/608663/
|
||||
|
||||
[4] Glance-Spec: https://review.openstack.org/#/c/609667/
|
||||
|
||||
Revision History
|
||||
================
|
||||
|
||||
.. list-table:: Revisions
|
||||
:header-rows: 1
|
||||
|
||||
* - Release Name
|
||||
- Description
|
||||
* - Stein
|
||||
- Introduced
|
||||
|
||||
.. note::
|
||||
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License. http://creativecommons.org/licenses/by/3.0/legalcode
|
Loading…
Reference in New Issue