Adding library for encryption and decryption

This Spec describes a library oslo.encrypt for encryption and decryption of large files. For the contribution of Image Encryption it is necessary to have a library for the encryption of decryption of large binary files, so the code can be used by projects, which want tu encrypt or decrypt images. Change-Id: Id4ca0b3bf23d3d76484822d2ade27bf3c444afb0 Co-Authored-By: Markus Hentsch <markus.hentsch@secustack.com>
2018-11-19 14:43:02 +01:00 · 2018-11-19 14:43:02 +01:00 · 8a3b75676c
parent 4c9945ef6e
commit 8a3b75676c
1 changed files with 115 additions and 0 deletions
--- a/specs/stein/oslo-encrypt.rst
+++ b/specs/stein/oslo-encrypt.rst
@ -0,0 +1,115 @@
+====================================
+Proposed new library oslo.encrypt
+====================================
+
+This library should be used to encrypt or decrypt large binary data and files.
+
+Proposed library mission
+=========================
+
+A library is needed for the encryption and decryption of data and files, for
+example to allow the encryption of Glance images. It should consist of a
+suitable class hierarchy allowing for different implementations in a
+driver-like manner, each implementing methods to encrypt and decrypt data
+using a specific cipher (encryption drivers).
+
+The library should define an abstract base class for implementations and
+supply a sample encryption driver using GPG as proposed for image encryption.
+Furthermore the library should also provide a public method to retrieve the
+encryption driver for a given set of cipher specifications (cipher algorithm,
+type,  format), so that components consuming this library can use it without
+having to enumerate all available implementations.
+
+Consuming projects
+==================
+
+It will be used for the encryption and decryption of images in Nova [2] and
+Cinder [3] as well as in the openstackclient. Later on, all additional
+projects which add support for encrypted images may start using this library
+as well (e.g. Ironic).
+
+Alternatives library
+====================
+
+There aren't any libraries used for encryption and decrpytion methods in
+OpenStack yet. So we had to consider where this would fit best, which partly
+happened in a dedicated etherpad [1].
+
+One option would have been writing an independent library like cursive or
+os_brick or use cursive right away. But those libraries tend to become
+unmainted. Using another library like cursive would also bring in additional
+dependencies, which might be a problem for certain projects like
+openstackclient.
+
+Another option was to use openstacksdk, but for every other project than the
+openstackclient, this wasn't anything the corresponding team would have liked
+to add as a dependency.
+
+Proposed adoption model/plan
+============================
+
+The library will be incorporated by the core services Nova and Cinder as well
+as the openstackclient as soon as image encryption is added to each of them.
+As the support for image encryption expands, further services may start
+incorporating the library in the future. Reviewer activity
+=================
+
+As this library is designed for cryptographic operations the team to review
+should be the same as Castellan, which is at this point basically the same as
+in Barbican and the Security SIG.
+
+Implementation
+==============
+
+Author(s)
+---------
+
+Primary authors:
+  Markus Hentsch (mhen)
+  Josephine Seifert (Luzi)
+
+Other contributors:
+  None
+
+Work Items
+----------
+
+* Create a new library called oslo.encrypt
+
+* Gather core team - which would most likely be the Castellan core team
+
+* Implement base class and GPG encryption driver
+
+* Implement driver selection method
+
+References
+==========
+
+Original library discussion etherpad:
+
+[1]
+https://etherpad.openstack.org/p/library-for-image-encryption-and-decryption
+
+Image Encryption Specs:
+
+[2] Nova-Spec: https://review.openstack.org/#/c/608696/
+
+[3] Cinder Spec: https://review.openstack.org/#/c/608663/
+
+[4] Glance-Spec: https://review.openstack.org/#/c/609667/
+
+Revision History
+================
+
+.. list-table:: Revisions
+   :header-rows: 1
+
+   * - Release Name
+     - Description
+   * - Stein
+     - Introduced
+
+.. note::
+
+  This work is licensed under a Creative Commons Attribution 3.0 Unported
+  License. http://creativecommons.org/licenses/by/3.0/legalcode