Key retrieval agent for OpenStack instances.
Go to file
OpenDev Sysadmins e9fdd49e11 OpenDev Migration Patch
This commit was bulk generated and pushed by the OpenDev sysadmins
as a part of the Git hosting and code review systems migration
detailed in these mailing list posts:

http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003603.html
http://lists.openstack.org/pipermail/openstack-discuss/2019-April/004920.html

Attempts have been made to correct repository namespaces and
hostnames based on simple pattern matching, but it's possible some
were updated incorrectly or missed entirely. Please reach out to us
via the contact information listed at https://opendev.org/ with any
questions you may have.
2019-04-19 19:51:28 +00:00
debian Initial commit of Marshal code base 2015-10-22 22:59:07 -04:00
doc/source Initial Cookiecutter Commit. 2015-10-22 14:51:23 -04:00
docs Initial commit of Marshal code base 2015-10-22 22:59:07 -04:00
etc/marshal Some cleanup 2015-10-23 08:20:44 -04:00
marshal_agent Initial commit of Marshal code base 2015-10-22 22:59:07 -04:00
tmp Some cleanup 2015-10-23 08:20:44 -04:00
.coveragerc Initial Cookiecutter Commit. 2015-10-22 14:51:23 -04:00
.gitignore Initial Cookiecutter Commit. 2015-10-22 14:51:23 -04:00
.gitreview OpenDev Migration Patch 2019-04-19 19:51:28 +00:00
.mailmap Initial Cookiecutter Commit. 2015-10-22 14:51:23 -04:00
.testr.conf Initial Cookiecutter Commit. 2015-10-22 14:51:23 -04:00
babel.cfg Initial Cookiecutter Commit. 2015-10-22 14:51:23 -04:00
CONTRIBUTING.rst Initial Cookiecutter Commit. 2015-10-22 14:51:23 -04:00
HACKING.rst Initial Cookiecutter Commit. 2015-10-22 14:51:23 -04:00
LICENSE Initial Cookiecutter Commit. 2015-10-22 14:51:23 -04:00
MANIFEST.in Initial Cookiecutter Commit. 2015-10-22 14:51:23 -04:00
openstack-common.conf Initial Cookiecutter Commit. 2015-10-22 14:51:23 -04:00
README.md Some cleanup 2015-10-23 08:20:44 -04:00
README.rst Initial Cookiecutter Commit. 2015-10-22 14:51:23 -04:00
requirements.txt Initial commit of Marshal code base 2015-10-22 22:59:07 -04:00
setup.cfg Initial commit of Marshal code base 2015-10-22 22:59:07 -04:00
setup.py Initial Cookiecutter Commit. 2015-10-22 14:51:23 -04:00
test-requirements.txt Initial commit of Marshal code base 2015-10-22 22:59:07 -04:00
tox.ini Initial commit of Marshal code base 2015-10-22 22:59:07 -04:00

Marshal

Overview

  • Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption keys from ia KMS like Barbican.
  • This agent will be interfacing with the disk encryption subsystem of the underlying operating system to encrypt/decrypt the disk I/O.
  • In the case of Linux-based virtual machines this agent will be interfacing with dm-crypt and for Windows OS it will be interfacing with Bit-locker.
  • The agent provides an abstraction service and can be integrated with other encryption subsystem as required.
  • When the agent reads a key from the KMS, the key is only stored briefly in a secure temporary file until it can be transferred to the disk encryption subsystem.

Table of Contents

Features

  • Disk encryption subsystem abstraction allowing for a consistent interface
  • KMS system abstraction allowing for a consistent interface
  • Encryption at various levels including full disk encryption, partition encryption including root partition

Architecture


Diagram1

Getting Started

Deployment

#####For production purposes, Marshal is intended to be deployed as a Debian Package embedded into OpenStack VMs

Deploying Using Debian Package

Building and testing debian package

For test purposes, Marshal can be cloned using normal Git semantics:

Clone to local repository:

#####Via SSH: $ git clone git@github.com:openstack/marshal.git

#####Via HTTPS: $ git clone https://github.com/openstack/marshal.git

Software Requirements


  • Python 2.7.8
  • Cryptsetup (if Linux OS)

Deployment Procedure


Please refer to the Getting Started Guide, which covers deployment, configuration, and example usage.

Documentation

All documentation is located here

Roadmap

  • KMS for infrastructure tenants
  • Volume encryption (With Marshal)
  • Certificate provisioning
  • Object Encryption
  • High key use tenants and IOT
  • KMaaS

Core Components and Features


List core components and features here
  • Orchestration

Security


List the security services it provides
  • Encryption

Operations


Disk encryption
Automatic key retreival from a KMS

Platform Support


Currently, only the Linux platform is supported using dm_crypt. Support Windows using bitlocker currently in the planning stages.
Currently, only the OpenStack Barbican KMS is supported. Support for other KMSs is currently in the planning stages.
Currently, only cloud-based KMSs are supported. Support for local KMSs is currently in the planning stages.

Development

Write about the details of how anyone can contribute to the project.

Getting Support

Write about the support details of the project.In case of any issue how anyone can get the support.

License

Write about the license details of the project.