How to Enable LUKS Encryption for Cinder Volumes?

Problem

To implement LUKS encryption for Cinder volume backends which enhances data security by encrypting storage volumes at rest. This ensures that sensitive data remains protected, even if the underlying storage devices are compromised.

Environment

  • Private Cloud Director Virtualisation - v2025.4 and Higher.
  • Self-Hosted Private Cloud Director Virtualisation – v2025.4 and Higher.
  • Component - Storage

Procedure

  1. Ensure Barbican is running and integrated with Keystone:
Command
Copy
  1. Create an Encryption Key in Barbican.
Command
Copy
  1. Create an Encrypted Volume Type
Command
Copy

To run cinder commands, install python-cinderclient==9.4.0. In some OpenStack versions, the openstack CLI does not support creating encrypted volume types. In such cases, use the cinder CLI instead.

  1. Associate Encryption with the Volume Type
Command
Copy
  1. Confirm volume type and secret:
Command
Copy
  1. On the PCD GUI Select Cluster blueprint Edit desired volume add below properties save the blueprint.
Volume Properties
Copy
  1. Configure the key manager in the /opt/pf9/etc/pf9-cindervolume-base/conf.d/cinder.conf on all cinder hosts.
Cinder.conf
Copy
  1. After the above changes, restart the pf9-cindervolume-base service on all cinder hosts.
Command
Copy
  1. Confirm whether the following highlighted configurations are present in the /opt/pf9/etc/pf9-cindervolume-base/conf.d/cinder.conf file:
Cinder.conf
Copy
  1. Create Encrypted volume.
Command
Copy
  1. Confirm the Encryption status of the volume.
Command
Copy
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard