Key retrieval agent for OpenStack instances.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
debian
doc/source
docs
etc/marshal
marshal_agent
tmp
.coveragerc
.gitignore
.gitreview
.mailmap
.testr.conf
CONTRIBUTING.rst
HACKING.rst
LICENSE
MANIFEST.in
README.md
README.rst
babel.cfg
openstack-common.conf
requirements.txt
setup.cfg
setup.py
test-requirements.txt
tox.ini

README.md

Marshal

Overview

  • Marshal is an agent service running inside virtual machines, which will be responsible for securely fetching encryption keys from ia KMS like Barbican.
  • This agent will be interfacing with the disk encryption subsystem of the underlying operating system to encrypt/decrypt the disk I/O.
  • In the case of Linux-based virtual machines this agent will be interfacing with dm-crypt and for Windows OS it will be interfacing with Bit-locker.
  • The agent provides an abstraction service and can be integrated with other encryption subsystem as required.
  • When the agent reads a key from the KMS, the key is only stored briefly in a secure temporary file until it can be transferred to the disk encryption subsystem.

Table of Contents

Features

  • Disk encryption subsystem abstraction allowing for a consistent interface
  • KMS system abstraction allowing for a consistent interface
  • Encryption at various levels including full disk encryption, partition encryption including root partition

Architecture


Diagram1

Getting Started

Deployment

#####For production purposes, Marshal is intended to be deployed as a Debian Package embedded into OpenStack VMs

Deploying Using Debian Package

Building and testing debian package

For test purposes, Marshal can be cloned using normal Git semantics:

Clone to local repository:

#####Via SSH: $ git clone git@github.com:openstack/marshal.git

#####Via HTTPS: $ git clone https://github.com/openstack/marshal.git

Software Requirements


  • Python 2.7.8
  • Cryptsetup (if Linux OS)

Deployment Procedure


Please refer to the Getting Started Guide, which covers deployment, configuration, and example usage.

Documentation

All documentation is located here

Roadmap

  • KMS for infrastructure tenants
  • Volume encryption (With Marshal)
  • Certificate provisioning
  • Object Encryption
  • High key use tenants and IOT
  • KMaaS

Core Components and Features


List core components and features here
  • Orchestration

Security


List the security services it provides
  • Encryption

Operations


Disk encryption
Automatic key retreival from a KMS

Platform Support


Currently, only the Linux platform is supported using dm_crypt. Support Windows using bitlocker currently in the planning stages.
Currently, only the OpenStack Barbican KMS is supported. Support for other KMSs is currently in the planning stages.
Currently, only cloud-based KMSs are supported. Support for local KMSs is currently in the planning stages.

Development

Write about the details of how anyone can contribute to the project.

Getting Support

Write about the support details of the project.In case of any issue how anyone can get the support.

License

Write about the license details of the project.