How to Enable LUKS Encryption for Cinder Volumes?
Problem
This How-To explains how to implement LUKS encryption for Cinder volume backends to enhance data security by encrypting storage volumes at rest.. This ensures that sensitive data remains protected, even if the underlying storage devices are compromised.
Environment
- Private Cloud Director Virtualisation - v2025.4 and Higher.
- Self-Hosted Private Cloud Director Virtualisation – v2025.4 and Higher.
- Component - Storage(Cinder, Barbican, LVM)
With the June release, Cinder API has integrated native support for volume encryption (covered in steps 6 and 7 in the Procedure section), removing the need for manual configuration. This release currently supports only basic (LUKS/plain) encryption.
Procedure
- Ensure Barbican is running and integrated with Keystone:
$ openstack service list | grep barbican| [service-uuid] | barbican | key-manager |- Create an Encryption Key in Barbican.
x
$ openstack secret store \ --name luks-key \ --payload-content-type 'application/octet-stream' \ --payload-content-encoding base64 \ --payload "$(openssl rand -base64 32)"+---------------+--------------------------------------------------------------------------------+| Field | Value |+---------------+--------------------------------------------------------------------------------+| Secret href | https://[management-plane-fqdn]/barbican/v1/secrets/[secret-id] || Name | luks-key || Created | None || Status | None || Content types | {'default': 'application/octet-stream'} || Algorithm | aes || Bit length | 256 || Secret type | opaque || Mode | cbc || Expiration | None |+---------------+--------------------------------------------------------------------------------+- Create an Encrypted Volume Type
$ openstack volume type create luks-encrypted+-------------+--------------------------------------+| Field | Value |+-------------+--------------------------------------+| description | None || id | [Volume-Type-Id] || is_public | True || name | luks-encrypted |+-------------+--------------------------------------+To run cinder commands, install python-cinderclient==9.4.0.
In some OpenStack versions, the openstack CLI does not support creating encrypted volume types. In such cases, use the cinder CLI instead.
- Associate Encryption with the Volume Type
$ ~/local/bin/cinder --os-volume-api-version 3.70 encryption-type-create luks-encrypted luks \ --cipher aes-xts-plain64 \ --key-size 256 \ --control-location front-end+--------------------------------------+----------+-----------------+----------+-----------------+| Volume Type ID | Provider | Cipher | Key Size | Control Location|+--------------------------------------+----------+-----------------+----------+-----------------+| [Volume-Type-Id] | luks | aes-xts-plain64 | 256 | front-end |+--------------------------------------+----------+-----------------+----------+-----------------+- Confirm volume type and secret:
$ openstack volume type list+--------------------------------------+----------------+-----------+| ID | Name | Is Public |+--------------------------------------+----------------+-----------+| [Luks-Volume-Type-Id] | luks-encrypted | True || [Other-Volume-Type-Id] | lvm | True || [Other-Volume-Type-Id] | __DEFAULT__ | True |+--------------------------------------+----------------+-----------+$ openstack secret list -c "Secret href" -c Name -c Status -c Algorithm -c "Secret type" -c Mode+-----------------+---------+--------+-----------+------------+-----+| Secret href | Name | Status | Algorithm | Secret type| Mode| +-----------------+---------+--------+-----------+------------+-----+| https://[region-| luks-key| ACTIVE | aes | opaque | cbc | | one-FQDN]/barbi | | | | | | | can/v1/secrets/ | | | | | | | [secret-uuid] | | | | | | +-----------------+---------+--------+-----------+------------+-----+- On the PCD GUI
Select Cluster blueprint Edit desired volume add below properties save the blueprint.
encryption_cipher = aes-xts-plain64target_ip_address = <IP-address>encryption_key_size = 256encryption_provider = luks- Configure the key manager in the
/opt/pf9/etc/pf9-cindervolume-base/conf.d/cinder.confon all cinder hosts.
[key_manager]backend = barbican- After the above changes, restart the
pf9-cindervolume-baseservice on all cinder hosts.
$ sudo systemctl restart pf9-cindervolume-base- Confirm whether the following highlighted configurations are present in the
/opt/pf9/etc/pf9-cindervolume-base/conf.d/cinder.conffile:
[key_manager]backend = barbican[lvm2]volume_driver = cinder.volume.drivers.lvm.LVMVolumeDrivervolume_backend_name = lvm2pf9_identifier_timestamp = <timestamp>lvm_type = defaultvolumes_dir = /opt/pf9/etc/pf9-cindervolume-base/volumes/volume_group = cinder-volumestarget_protocol = iscsiencryption_cipher = aes-xts-plain64target_ip_address = <IP-address>encryption_key_size = 256encryption_provider = luks- Create Encrypted volume.
$ openstack volume create --size <DESIRED_VOLUME_SIZE> --type luks-encrypted <VOLUME_NAME>- Confirm the Encryption status of the volume.
$ openstack volume show --fit <VOLUME_NAME>+--------------------------------+------------------------------------------------+| Field | Value |+--------------------------------+------------------------------------------------+| ...... | || encryption_key_id | [ENCRYPTION_KEY_ID] || id | [VOLUME_ID] || name | [VOLUME_NAME] || ...... | || status | available || type | luks-encrypted || .. | || volume_type_id | [VOLUME_TYPE_ID] |+--------------------------------+------------------------------------------------+Was this page helpful?