marshal/README.md

Marshal

Overview

• Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption keys from ia KMS like Barbican.
• This agent will be interfacing with the disk encryption subsystem of the underlying operating system to encrypt/decrypt the disk I/O.
• In the case of Linux-based virtual machines this agent will be interfacing with dm-crypt and for Windows OS it will be interfacing with Bit-locker.
• The agent provides an abstraction service and can be integrated with other encryption subsystem as required.
• When the agent reads a key from the KMS, the key is only stored briefly in a secure temporary file until it can be transferred to the disk encryption subsystem.

Table of Contents

• Overview
• Features
• Architecture
• Getting Started
• Software Requirements
• Deployment Procedure
• Documentation
• Roadmap
• Core Components and Features
• Security
• Operations
• Platform Support
• Development
• License

Features

• Disk encryption subsystem abstraction allowing for a consistent interface
• KMS system abstraction allowing for a consistent interface
• Encryption at various levels including full disk encryption, partition encryption including root partition

Architecture

---

Getting Started

Deployment

#####For production purposes, Marshal is intended to be deployed as a Debian Package embedded into OpenStack VMs

Deploying Using Debian Package

Building and testing debian package

For test purposes, Marshal can be cloned using normal Git semantics:

Clone to local repository:

#####Via SSH: $ git clone git@github.com:openstack/marshal.git

#####Via HTTPS: $ git clone https://github.com/openstack/marshal.git

Software Requirements

---

• Python 2.7.8
• Cryptsetup (if Linux OS)

Deployment Procedure

---

Please refer to the Getting Started Guide, which covers deployment, configuration, and example usage.

Documentation

All documentation is located here

Roadmap

• KMS for infrastructure tenants
• Volume encryption (With Marshal)
• Certificate provisioning
• Object Encryption
• High key use tenants and IOT
• KMaaS

Core Components and Features

---

List core components and features here

• Orchestration

Security

---

List the security services it provides

• Encryption

Operations

---

Disk encryption

Automatic key retreival from a KMS

Platform Support

---

Currently, only the Linux platform is supported using dm_crypt. Support Windows using bitlocker currently in the planning stages.

Currently, only the OpenStack Barbican KMS is supported. Support for other KMSs is currently in the planning stages.

Currently, only cloud-based KMSs are supported. Support for local KMSs is currently in the planning stages.

Development

Write about the details of how anyone can contribute to the project.

Getting Support

Write about the support details of the project.In case of any issue how anyone can get the support.

License

Write about the license details of the project.