Back To Schedule
Thursday, October 29 • 2:40pm - 3:20pm
Finally FDE - OpenStack Full Disk Encryption and Missing Pieces

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Lets encrypt all the things!

Well, lets not, that's silly - but there's a lot of smart things we can encrypt, some of them require shiny hardware but quite a lot can be done through the clever application of existing software.

In this talk Robert proposes a two tiered encryption model to be applied to an OpenStack deployment.

Foundational - Full Disk Encryption. Encrypting everything on disk is non-trivial when managing large datacentres full of gear. In fact the complexity of this task normally makes it prohibative unless using hardware based solutions. At HP we have developed a new way to approach this problem. It makes Linux Full Disk Encryption pretty painless, scales beautifully and finally does away with retroactive "Log in and type the key" type systems that are just plain horrible. We will peak beneath the covers of this solution and share the code with the community so that we can all deploy full disk encryption at scale in a reliable and safe way.

OpenStack Native - Cinder, Nova and Swift all have native encryption capabilities in the pipeline. During this section of the talk we review their progress and discuss when they can be integrated into running prouction clouds to create a multi-layered encrypted cloud.

Combining these technologies protects everything on disk from accidental loss or compromise while also cryptographically separating tenant data on disk - both have been strong asks for OpenStack for a long time.

In addition, we will introduce Project Marshal.

Project Marshal is an open source implementation of an agent that provides the missing piece of the puzzle for volume encryption.  Using the Barbican client API, it allows running virtual machines to access secrets stored in Barbican to use encrypted volumes with tenant managed keys.

We'll cover:
- What is project “Marshal”?
- What are its features, claims, and roadmap?
- Where can I get the code?
- How can I help set priorities and contribute to Marshal?

avatar for Robert Clark

Robert Clark

Lead Security Architect, HP
Robert is a HP Distinguished Technologist, the lead security architect for HP Helion OpenStack and the current PTL of the OpenStack Security team. His career has its roots in threat modelling, vulnerability analysis and virtualization security. He is passionate about security and... Read More →
avatar for Dave McCowan

Dave McCowan

Technical Leader, OpenStack@Cisco, Cisco Systems
Dave McCowan leads security initiaves of the OpenStack team at Cisco.  He is an OpenStack contributor to the Barbican project.
avatar for Arvind Tiwari

Arvind Tiwari

Technical Leader, Engineering, Cisco
Arvind Tiwari is a Technical Leader in the CTO Group of Cisco Intercloud Services.  In his current role, Arvind is responsible for helping Cisco Intercloud teams on Identity, Security, Access Management, and Federation efforts.  He is also involved in multiple initiatives to make... Read More →

Thursday October 29, 2015 2:40pm - 3:20pm JST

Attendees (0)