Support for LUKS-encrypted images with user-defined LUKS secret #6488
Assignees
Milestone
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
There is a request from the customer for having a possibility to have "a per-user-based and user-defined LUKS secret".
In the current OpenNebula implementation the manual steps are required from admin side on each hypervisor node as written in the docs.
The feature has to make possible to define custom LUKS secret by user for each image separately. As soon as LUKS secret is defined in the OpenNebula required actions on the hypervisor nodes has to be done automatically, i.e. no manual actions should be required from the admin side.
Use case
New feature will make possible to use LUKS-encrypted image with user defined LUKS secret.
Interface Changes
It should be possible for the user to set LUKS secret (not UUID as it's now defined in LUKS_SECRET attribute)
Possible scenarios:
1) New image. When a new image is uploaded via web GUI the OpenNebula should detect if it's LUKS-encrypted and if it's should ask for a LUKS secret (not UUID but the secret what was used to encrypted the image). If the LUKS-encrypted image is registered via CLI then there is should be an option to pass LUKS secret (e.g. --luks-secret-file=).
2) Encrypt already registered in the OpenNebula image with LUKS secret provided.
Sunstone: Storage -> Images -> select existing image -> "Clone" button needs to be with drop-down menu and two items:
a. Clone
b. Clone&Encrypt
The first one ("Clone") is a regular clone as it is now. The second one ("Clone&Encrypt") should have a dedicated mandatory field where there the LUKS secret has to be specified.
If the image is clone via command line a new option is need (e.g. similar to one given above, i.e.
Such LUKS-encrypted registration should trigger a set of required actions on all hypervisor node there that image can be used.
Progress Status
The text was updated successfully, but these errors were encountered: