Create an Encrypted volume with Openstack CLI

Encrypting a volume means that the data it contains is not readable without an encryption key. The encryption key is created at the time the encrypted volume is created. The encryption key must be stored and managed.

Prerequisites

  • Sufficient access rights to use the command line console
  • Sufficient resources in your project

Check the volume types

Volume encryption is specified at the time a volume is created. You can check the volume types that are available with the command:

$ openstack volume type list


Create an encrypted volume

Open your command line console and enter the command:

$ openstack volume create --type volumes_hdd_encrypted --size 10 enc_drive
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| attachments         | []                                   |
| availability_zone   | nova                                 |
| bootable            | false                                |
| consistencygroup_id | None                                 |
| created_at          | 2021-04-27T13:52:10.000000           |
| description         | None                                 |
| encrypted           | True                                 |
| id                  | 33211b21-8d4f-48e9-b76f-ec73ffd19def |
| multiattach         | False                                |
| name                | enc_drive                            |
| properties          |                                      |
| replication_status  | None                                 |
| size                | 10                                   |
| snapshot_id         | None                                 |
| source_volid        | None                                 |
| status              | creating                             |
| type                | volumes_hdd_encrypted                |
| updated_at          | None                                 |
| user_id             | 966ad341f4e14920b5f589f900246ccc     |
+---------------------+--------------------------------------+

Encrypted volumes can also be created using Ansible and Terraform. 

Encrypted volume types have the suffix _encrypted.

Storing secrets in Barbican

In your console enter the command:

$ openstack secret store


To create a secret of type passphrase encrypted with an AES algorithm and  key length of 256 bits:

$ openstack secret store --secret-type passphrase -p passphrase -n mysecret
+---------------+--------------------------------------------------------------------------------+
| Field         | Value                                                                          |
+---------------+--------------------------------------------------------------------------------+
| Secret href   | https://dx1.citycloud.com:9311/v1/secrets/<mysecret>	 						 |
| Name          | mysecret                                                                       |
| Created       | None                                                                           |
| Status        | None                                                                           |
| Content types | None                                                                           |
| Algorithm     | aes                                                                            |
| Bit length    | 256                                                                            |
| Secret type   | passphrase                                                                     |
| Mode          | cbc                                                                            |
| Expiration    | None                                                                           |
+---------------+--------------------------------------------------------------------------------+

Retrieving secrets stored in Barbican

Secrets stored in Barbican are encrypted. You can retrieve the secrets unencrypted.

In your console, enter the command:

$ openstack secret list
+--------------------------------------------------------------------------------+----------+---------------------------+--------+-----------------------------------------+-----------+------------+-------------+------+------------+
| Secret href                                               | Name     | Created                   | Status | Content types                           | Algorithm | Bit length | Secret type | Mode | Expiration |
+--------------------------------------------------------------------------------+----------+---------------------------+--------+-----------------------------------------+-----------+------------+-------------+------+------------+
| https://dx1.citycloud.com:9311/v1/secrets/<mysecret> 	  | mysecret | 2021-04-29T10:33:18+00:00 | ACTIVE | {'default': 'application/octet-stream'} | aes       |        256 | passphrase  | cbc  | None       |
| https://dx1.citycloud.com:9311/v1/secrets/<other_secret>  | None     | 2021-04-27T13:52:10+00:00 | ACTIVE | {'default': 'application/octet-stream'} | aes       |        256 | symmetric   | None | None       |
+--------------------------------------------------------------------------------+----------+---------------------------+--------+-----------------------------------------+-----------+------------+-------------+------+------------+

Receive the decrypted secret in the payload with:

$ openstack secret get https://dx1.citycloud.com:9311/v1/secrets/<mysecret> -p
+---------+------------+
| Field   | Value      |
+---------+------------+
| Payload | passphrase |
+---------+------------+

Official Barbican documentation

More details and commands are available at https://docs.openstack.org/python-openstackclient/latest/cli/plugin-commands/barbican.html