Skip to content

Creating LUKS‑Encrypted Volumes

OpenStack enables at‑rest encryption of volumes with LUKS. On NWS OpenStack the volume‑type option for at‑rest encryption is called LUKS. Further information and step‑by‑step guides for setting up encrypted volumes are listed below.

How does OpenStack encrypt volumes?

When you create an encrypted volume via the Horizon UI or the OpenStack CLI, OpenStack automatically generates the required encryption key and stores it in Barbican, OpenStack’s key manager.
All LUKS encryption keys on NWS OpenStack use 256‑bit aes‑xts‑plain64 encryption.

Because secrets in NWS OpenStack are billed per secret, each encrypted volume incurs minimal additional cost ( €0.40 per secret per month, as of 03/2024 ).

When a encrypted volume is attached to a server, OpenStack automatically decrypts it in the background using the encryption key stored in Barbican. The attached volume can then be used on the server just like any other (unencrypted) volume.

Creating Encrypted Volumes in OpenStack

Encrypted volumes can be created either through the Horizon UI or from the terminal with the OpenStack CLI.

Using the Horizon UI

In the OpenStack Horizon UI first select the appropriate project, then follow these steps:

  1. Navigate to Volumes > Volumes
  2. Click Create Volume
  3. Configure the volume
  4. [Required] Set a Name
  5. [Optional] Enter a Description
  6. [Required] Choose a Volume Source
  7. [Required] Set LUKS as the Volume Type
  8. [Optional] Adjust the Volume Size
  9. [Optional] Select a Volume Group
  10. Confirm the settings and create the volume by clicking Create Volume

OpenStack will now start creating the volume, which will appear under Volumes > Volumes after the page reloads.

Using the OpenStack CLI

First load the OpenStackRC.sh file and select the appropriate project:

source nws-id-openstack-rc.sh

Testing authentication and retrieving project list ...

Please select one of the OpenStack projects:

1) 20631-openstack-04223  3) 5475-openstack-41b6b   5) 5475-openstack-8bdaf   7) 5475-openstack-a169e
2) 5475-openstack-1ccca   4) 5475-openstack-4745f   6) 5475-openstack-9d52e   8) 5475-openstack-c716d
Enter number: 1
Selected project: 20631-openstack-04223

Then a new encrypted volume can be created with the following command:

openstack volume create \
  --type LUKS \
  --size <size> \
  --description <description> \
  --image <image> \
  <name>

The following parameters can be supplied:

  • <size>: Size of the volume in GB, required if <image> is not provided
  • <description>: Description of the volume, optional
  • <image>: Reference to an image if the volume should be based on an image, optional
  • <name>: Name of the volume, required

Attaching Encrypted Volumes to a Server

Encrypted volumes can be attached to servers either via the Horizon UI or from the terminal with the OpenStack CLI, just like unencrypted volumes.

Using the Horizon UI

In the OpenStack Horizon UI select the appropriate project and follow these steps:

  1. Navigate to Compute > Instances
  2. Identify the server in the list to which the volume should be attached
  3. Open the dropdown menu in the Actions column of that server
  4. Click Attach Volume and select the desired volume
  5. Confirm by clicking Attach Volume

After a few seconds the volume should appear on the server under /dev/sdX.

Using the OpenStack CLI

First load the OpenStackRC.sh file and select the appropriate project:

source nws-id-openstack-rc.sh

Testing authentication and retrieving project list ...

Please select one of the OpenStack projects:

1) 20631-openstack-04223  3) 5475-openstack-41b6b   5) 5475-openstack-8bdaf   7) 5475-openstack-a169e
2) 5475-openstack-1ccca   4) 5475-openstack-4745f   6) 5475-openstack-9d52e   8) 5475-openstack-c716d
Enter number: 1
Selected project: 20631-openstack-04223

Then the volume can be attached to a server with the following command:

openstack server add volume --device <device> <server> <volume>

The required parameters are:

  • <device>: Internal device name on the server, e.g. /dev/sdb, required
  • <server>: Name or UUID of the server to which the volume should be attached, required
  • <volume>: Name or UUID of the volume to attach, required

After a few seconds the volume should appear on the server under /dev/sdX.

More detailed guides for creating and using encrypted volumes, as well as general information about encrypted volumes in OpenStack, can be found at the following links: