Apache CloudStack
Volume encryption
Vladimir Petrov
About me

Living in Sofia, father of two boys

Software engineer in test @ShapeBlue

20+ years professional experience in the IT field

Almost 3 years working with CloudStack on a daily basis
Agenda

Introduction

Requirements

Details

Supported and unsupported operations

Hosts preparation

Service and disk offerings

Q&A
Introduction

Coming in the next ACS LTS release 4.18

Created by Marcus Sorensen from Apple and Suresh Anaparti

Transparent to the guest OS

Both root and data volumes can be encrypted

Two parts implementation:


API/UI changes

Storage driver
First implementation phase
Requirements

Currently only KVM hypervisor is supported

QEMU-EV v2.6+ is required

Supported storage types:

Local storage

NFS

PowerFlex/ScaleIO

Shared mountpoint
Details





Simplifies the process of keys management
The passphrase is stored in the database, encrypted with the
CloudStack’s standard configured DB encryption.
qcow2 based storage – qemu-img is used to setup the file with
LUKS encryption
Block based storages (currently just ScaleIO) – cryptsetup utility
is used to format the block device as LUKS for data disks but
qemu-img is used for template copy
The used cipher is XTS-AES 256 which is a leading industry
standard
VM operations

Supported VM operations:

Start/Stop

Reboot

Reinstall

Expunge/recover

Scale up

Migrate running instance to another host
VM operations

Unsupported VM operations:

VM Snapshot

Volume snapshot

Recurring snapshot
Volume operations

Supported volume operations:

Attach/detach encrypted volume

Volume snapshot (stopped VM)

Revert to snapshot

Resize

Delete
Volume operations

Unsupported volume operations:

Download volume

Migrate volume

Recurring snapshots

Create template from encrypted volume snapshot

Create volume from encrypted volume snapshot
Hosts preparation

Install qemu-ev:
#yum install -y qemu-kvm-common-ev-2.10.0 qemu-kvm-
ev-2.10.0 qemu-img-ev-2.10.0 qemu-kvm-tools-ev-2.10.0

Install cryptsetup:
#yum install cryptsetup

Optional:
rngd (EL) or rng-tools (Ubuntu)
package for better entropy

Restart the agent
Host encryption support

Verify the host is properly configured
Service offerings

Adding encryption to service offerings
Disk offerings

Adding encryption to disk offerings
Future?

Add support for other hypervisors

Support more VM/volume operations

More storage types support – CEPH, Linbit, StorPool?

Show volume encryption status

Support LUKS2 encryption
Q&A
Questions?
Thank you!


Email: vladimir.petrov@shapeblue.com
LinkedIn: https://www.linkedin.com/in/vladimir/