In this talk, Vladi looks at the new Volume encryption option (due in CloudStack 4.18). He presents the new ability to use encrypted root and data volumes on different storage types, the benefits and the current limitations of the implementation.
Vladimir Petrov is a QA engineer with more than 20 years of experience in the IT field. He is using and testing Apache CloudStack for almost 3 years now. Currently working as a QA Engineer in ShapeBlue.
-----------------------------------------
CloudStack Collaboration Conference 2022 took place on 14th-16th November in Sofia, Bulgaria and virtually. The day saw a hybrid get-together of the global CloudStack community hosting 370 attendees. The event hosted 43 sessions from leading CloudStack experts, users and skilful engineers from the open-source world, which included: technical talks, user stories, new features and integrations presentations and more.
2. About me
l Living in Sofia, father of two boys
l Software engineer in test @ShapeBlue
l 20+ years professional experience in the IT field
l Almost 3 years working with CloudStack on a daily basis
4. Introduction
l Coming in the next ACS LTS release 4.18
l Created by Marcus Sorensen from Apple and Suresh Anaparti
l Transparent to the guest OS
l Both root and data volumes can be encrypted
l Two parts implementation:
- API/UI changes
- Storage driver
l First implementation phase
5. Requirements
l Currently only KVM hypervisor is supported
l QEMU-EV v2.6+ is required
l Supported storage types:
- Local storage
- NFS
- PowerFlex/ScaleIO
- Shared mountpoint
6. Details
l Simplifies the process of keys management
l The passphrase is stored in the database, encrypted with the
CloudStack’s standard configured DB encryption.
l qcow2 based storage – qemu-img is used to setup the file with
LUKS encryption
l Block based storages (currently just ScaleIO) – cryptsetup utility
is used to format the block device as LUKS for data disks but
qemu-img is used for template copy
l The used cipher is XTS-AES 256 which is a leading industry
standard
7. VM operations
l Supported VM operations:
- Start/Stop
- Reboot
- Reinstall
- Expunge/recover
- Scale up
- Migrate running instance to another host
10. Volume operations
l Unsupported volume operations:
- Download volume
- Migrate volume
- Recurring snapshots
- Create template from encrypted volume snapshot
- Create volume from encrypted volume snapshot
11. Hosts preparation
l Install qemu-ev:
#yum install -y qemu-kvm-common-ev-2.10.0 qemu-kvm-
ev-2.10.0 qemu-img-ev-2.10.0 qemu-kvm-tools-ev-2.10.0
l Install cryptsetup:
#yum install cryptsetup
l Optional:
rngd (EL) or rng-tools (Ubuntu)
package for better entropy
l Restart the agent
15. Future?
l Add support for other hypervisors
l Support more VM/volume operations
l More storage types support – CEPH, Linbit, StorPool?
l Show volume encryption status
l Support LUKS2 encryption