- Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption keys from ia KMS like Barbican.
- This agent will be interfacing with the disk encryption subsystem of the underlying operating system to encrypt/decrypt the disk I/O.
- In the case of Linux-based virtual machines this agent will be interfacing with dm-crypt and for Windows OS it will be interfacing with Bit-locker.
- The agent provides an abstraction service and can be integrated with other encryption subsystem as required.
- When the agent reads a key from the KMS, the key is only stored briefly in a secure temporary file until it can be transferred to the disk encryption subsystem.
Table of Contents
- Getting Started
- Software Requirements
- Deployment Procedure
- Core Components and Features
- Platform Support
- Disk encryption subsystem abstraction allowing for a consistent interface
- KMS system abstraction allowing for a consistent interface
- Encryption at various levels including full disk encryption, partition encryption including root partition
#####For production purposes, Marshal is intended to be deployed as a Debian Package embedded into OpenStack VMs
Deploying Using Debian Package
For test purposes, Marshal can be cloned using normal Git semantics:
Clone to local repository:
$ git clone firstname.lastname@example.org:openstack/marshal.git
$ git clone https://github.com/openstack/marshal.git
- Python 2.7.8
- Cryptsetup (if Linux OS)
Getting Started Guide, which covers deployment, configuration, and example usage.Please refer to the
- KMS for infrastructure tenants
- Volume encryption (With Marshal)
- Certificate provisioning
- Object Encryption
- High key use tenants and IOT
Core Components and Features
List core components and features here
List the security services it provides