How to Enable LUKS Encryption for Cinder Volumes?
Problem
To implement LUKS encryption for Cinder volume backends which enhances data security by encrypting storage volumes at rest. This ensures that sensitive data remains protected, even if the underlying storage devices are compromised.
Environment
- Private Cloud Director Virtualisation - v2025.4 and Higher.
- Self-Hosted Private Cloud Director Virtualisation – v2025.4 and Higher.
- Component - Storage
Procedure
- Ensure Barbican is running and integrated with Keystone:
$ openstack service list | grep barbican
| [service-uuid] | barbican | key-manager |
- Create an Encryption Key in Barbican.
x
$ openstack secret store \
--name luks-key \
--payload-content-type 'application/octet-stream' \
--payload-content-encoding base64 \
--payload "$(openssl rand -base64 32)"
+---------------+--------------------------------------------------------------------------------+
| Field | Value |
+---------------+--------------------------------------------------------------------------------+
| Secret href | https://[management-plane-fqdn]/barbican/v1/secrets/[secret-id] |
| Name | luks-key |
| Created | None |
| Status | None |
| Content types | {'default': 'application/octet-stream'} |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+--------------------------------------------------------------------------------+
- Create an Encrypted Volume Type
$ openstack volume type create luks-encrypted
+-------------+--------------------------------------+
| Field | Value |
+-------------+--------------------------------------+
| description | None |
| id | [Volume-Type-Id] |
| is_public | True |
| name | luks-encrypted |
+-------------+--------------------------------------+
To run cinder
commands, install python-cinderclient==9.4.0
.
In some OpenStack versions, the openstack
CLI does not support creating encrypted volume types. In such cases, use the cinder
CLI instead.
- Associate Encryption with the Volume Type
$ ~/local/bin/cinder --os-volume-api-version 3.70 encryption-type-create luks-encrypted luks \
--cipher aes-xts-plain64 \
--key-size 256 \
--control-location front-end
+--------------------------------------+----------+-----------------+----------+-----------------+
| Volume Type ID | Provider | Cipher | Key Size | Control Location|
+--------------------------------------+----------+-----------------+----------+-----------------+
| [Volume-Type-Id] | luks | aes-xts-plain64 | 256 | front-end |
+--------------------------------------+----------+-----------------+----------+-----------------+
- Confirm volume type and secret:
$ openstack volume type list
+--------------------------------------+----------------+-----------+
| ID | Name | Is Public |
+--------------------------------------+----------------+-----------+
| [Luks-Volume-Type-Id] | luks-encrypted | True |
| [Other-Volume-Type-Id] | lvm | True |
| [Other-Volume-Type-Id] | __DEFAULT__ | True |
+--------------------------------------+----------------+-----------+
$ openstack secret list -c "Secret href" -c Name -c Status -c Algorithm -c "Secret type" -c Mode
+-----------------+---------+--------+-----------+------------+-----+
| Secret href | Name | Status | Algorithm | Secret type| Mode|
+-----------------+---------+--------+-----------+------------+-----+
| https://[region-| luks-key| ACTIVE | aes | opaque | cbc |
| one-FQDN]/barbi | | | | | |
| can/v1/secrets/ | | | | | |
| [secret-uuid] | | | | | |
+-----------------+---------+--------+-----------+------------+-----+
- On the PCD GUI
Select Cluster blueprint Edit desired volume add below properties save the blueprint.
encryption_cipher = aes-xts-plain64
target_ip_address = [IP-address]
encryption_key_size = 256
encryption_provider = luks
- Configure the key manager in the
/opt/pf9/etc/pf9-cindervolume-base/conf.d/cinder.conf
on all cinder hosts.
[key_manager]
backend = barbican
- After the above changes, restart the
pf9-cindervolume-base
service on all cinder hosts.
$ sudo systemctl restart pf9-cindervolume-base
- Confirm whether the following highlighted configurations are present in the
/opt/pf9/etc/pf9-cindervolume-base/conf.d/cinder.conf
file:
[key_manager]
backend = barbican
[lvm2]
volume_driver = cinder.volume.drivers.lvm.LVMVolumeDriver
volume_backend_name = lvm2
pf9_identifier_timestamp = <timestamp>
lvm_type = default
volumes_dir = /opt/pf9/etc/pf9-cindervolume-base/volumes/
volume_group = cinder-volumes
target_protocol = iscsi
encryption_cipher = aes-xts-plain64
target_ip_address = <IP-address>
encryption_key_size = 256
encryption_provider = luks
- Create Encrypted volume.
$ openstack volume create --size <desired-volume-size> --type luks-encrypted <volume-name>
- Confirm the Encryption status of the volume.
$ openstack volume show --fit <volume-name>
+--------------------------------+------------------------------------------------+
| Field | Value |
+--------------------------------+------------------------------------------------+
| ...... | |
| encryption_key_id | [encryption_key_id] |
| id | [volume-id] |
| name | [volume-name] |
| ...... | |
| status | available |
| type | luks-encrypted |
| .. | |
| volume_type_id | [volume_type_id] |
+--------------------------------+------------------------------------------------+
Was this page helpful?