Creating LUKS Encrypted Volumes
OpenStack allows you to encrypt volumes at rest using LUKS. On NWS OpenStack, the volume type that provides encryption-at-rest is conveniently called LUKS. See below for further information and how to setup encrypted volumes.
How Does OpenStack Encrypt Volumes?
When you create an encrypted volume from the Horizon UI or the OpenStack CLI, OpenStack will generate the necessary encryption key for you and store it in Barbican, OpenStack's key manager. Alll LUKS encrytion keys on NWS OpenStack use 256bit aes-xts-plain64 encryption.
As Secrets are billed on a per-secret basis in NWS OpenStack, each encrypted volume will incur minimal additional cost (0.40€ p. Secret p. Month, 03/2024)
When attaching an encrypted volume to a server, OpenStack will decrypt it in the background using the encryption key stored in Barbican. The attached volume can be handled and consumed on the server like any other (unencrypted) volume.
Creating Encrypted Volumes in OpenStack
Encrypted volumes can be created either from the Horizon UI or from the terminal using the OpenStack CLI.
Using Horizon UI
In your OpenStack Horizon UI (at https://cloud.netways.de) make sure to pick the correct project, then follow the steps below:
OpenStack will start creating the volume, which will appear listed under Volumes > Volumes upon reload.
Using OpenStack CLI
Source your OpenStackRC.sh file and pick the correct project:
source nws-id-openstack-rc.sh
Testing authentication and fetching project list ...
Please select one of your OpenStack projects.
1) 20631-openstack-04223 3) 5475-openstack-41b6b 5) 5475-openstack-8bdaf 7) 5475-openstack-a169e
2) 5475-openstack-1ccca 4) 5475-openstack-4745f 6) 5475-openstack-9d52e 8) 5475-openstack-c716d
Enter a number: 1
Selected project: 20631-openstack-04223Then, create a new, encrypted volume like this:
openstack volume create \
--type LUKS \
--size <size> \
--description <description> \
--image <image> \
<name>The following options can be passed as parameters:
<size>: size of the volume in GB, required if<image>is not passed<description>: description of the volume, optional<image>: image reference if the volume should be based on an image, optional<name>: name of the volume, required
Attaching Encrypted Volumes to Servers
Encrypted volumes can be attached to servers either from the Horizon UI or from the terminal using the OpenStack CLI, just like any other volume.
Using Horizon UI
In your OpenStack Horizon UI (at https://cloud.netways.de) make sure to pick the correct project, then follow the steps below:
After a few seconds, the volume should be visible on the server at /dev/sdX
Using OpenStack CLI
Source your OpenStackRC.sh file and pick the correct project:
source nws-id-openstack-rc.sh
Testing authentication and fetching project list ...
Please select one of your OpenStack projects.
1) 20631-openstack-04223 3) 5475-openstack-41b6b 5) 5475-openstack-8bdaf 7) 5475-openstack-a169e
2) 5475-openstack-1ccca 4) 5475-openstack-4745f 6) 5475-openstack-9d52e 8) 5475-openstack-c716d
Enter a number: 1
Selected project: 20631-openstack-04223Then, attach the volume to a server like this:
openstack server add volume --device <device> <server> <volume>The following options need to be passed as parameters:
<device>: server internal device name, e.g./dev/sdb, required<server>: name or UUID of the server to attach the volume to, required<volume>: name or UUID of the volume to attach to the server, required
After a few seconds, the volume should be visible on the server at /dev/sdX
Further Information
If you are looking for more detailed instructions on creating and mounting encrypted volumes or want to learn more about encrypted volumes on OpenStack in general, see the links below:
- NWS-Blogpost: LUKS Encrypted Storage on OpenStack
- OpenStack Documentation: Volume encryption supported by the key manager