Creating LUKS‑Encrypted Volumes
OpenStack enables at‑rest encryption of volumes with LUKS. On NWS OpenStack the volume‑type option for at‑rest encryption is signalled by the -encrypted suffix in a storage class name. Further information and step‑by‑step guides for setting up encrypted volumes are listed below.
How does OpenStack encrypt volumes?
When you create an encrypted volume via the Cloud console or the OpenStack CLI, OpenStack automatically generates the required encryption key and stores it in Barbican, OpenStack's key manager.
All LUKS encryption keys in the NETWAYS Cloud use 256‑bit aes‑xts‑plain64 encryption.
Because secrets in the NETWAYS Cloud are billed per secret, each encrypted volume incurs minimal additional cost (€0.40 per secret per month, as of 06/2026).
When an encrypted volume is attached to a server, OpenStack automatically decrypts it in the background using the encryption key stored in Barbican. The attached volume can then be used on the server just like any other (unencrypted) volume.
Creating Encrypted Volumes in OpenStack
Encrypted volumes can be created either through the Cloud console or from the terminal with the OpenStack CLI.
Using the Horizon UI
In the Cloud console first select the appropriate project, then follow these steps:
- Navigate to Storage > Volumes
- Click Create Volume
- Configure the volume
- [Optional] Set the Available Zone
- [Required] Choose a Volume Source
- [Required] Set
<storageclass>-encryptedas the Volume Type - [Optional] Adjust the Volume Size
- Confirm the settings and create the volume by clicking Confirm
OpenStack will now start creating the volume, which will appear under Storage > Volumes after the page reloads.
Using the OpenStack CLI
First load the OpenStackRC.sh file and select the appropriate project:
source nws-id-openstack-rc.sh
Testing authentication and retrieving project list ...
Please select one of the OpenStack projects:
1) 20631-openstack-04223 3) 5475-openstack-41b6b 5) 5475-openstack-8bdaf 7) 5475-openstack-a169e
2) 5475-openstack-1ccca 4) 5475-openstack-4745f 6) 5475-openstack-9d52e 8) 5475-openstack-c716d
Enter number: 1
Selected project: 20631-openstack-04223
Then a new encrypted volume can be created with the following command — the volume type can be chosen from the available storage classes:
openstack volume create \
--type <type> \
--size <size> \
--description <description> \
--image <image> \
<name>
The following parameters can be supplied:
<type>: Type of the volume, required<size>: Size of the volume in GB, required if<image>is not provided<description>: Description of the volume, optional<image>: Reference to an image if the volume should be based on an image, optional<name>: Name of the volume, required
Attaching Encrypted Volumes to a Server
Encrypted volumes can be attached to servers either via the Cloud console or from the terminal with the OpenStack CLI, just like unencrypted volumes.
Using the Cloud console
In the OpenStack Horizon UI select the appropriate project and follow these steps:
- Navigate to Compute > Instances
- Identify the server in the list to which the volume should be attached
- Open the dropdown menu in the Action column of that server
- In the Related Resources section click Attach Volume and select the desired volume
- Confirm by clicking OK
After a few seconds the volume should appear on the server under /dev/sdX.
Using the OpenStack CLI
First load the OpenStackRC.sh file and select the appropriate project:
source nws-id-openstack-rc.sh
Testing authentication and retrieving project list ...
Please select one of the OpenStack projects:
1) 20631-openstack-04223 3) 5475-openstack-41b6b 5) 5475-openstack-8bdaf 7) 5475-openstack-a169e
2) 5475-openstack-1ccca 4) 5475-openstack-4745f 6) 5475-openstack-9d52e 8) 5475-openstack-c716d
Enter number: 1
Selected project: 20631-openstack-04223
Then the volume can be attached to a server with the following command:
The required parameters are:
<server>: Name or UUID of the server to which the volume should be attached, required<volume>: Name or UUID of the volume to attach, required
After a few seconds the volume should appear on the server under /dev/sdX.
Further Links
More detailed guides for creating and using encrypted volumes, as well as general information about encrypted volumes in OpenStack, can be found at the following links:
- NWS blog post: LUKS Encrypted Storage on OpenStack
- OpenStack documentation: Volume encryption supported by the key manager