# How to Enable LUKS Encryption for Cinder Volumes?
### Problem
How to implement LUKS encryption for Cinder volume backends to enhance data security by encrypting storage volumes at rest.. This ensures that sensitive data remains protected, even if the underlying storage devices are compromised.
### Environment
* Private Cloud Director Virtualisation - v2025.4 and Higher.
* Self-Hosted Private Cloud Director Virtualisation – v2025.4 and Higher.
* Component - Storage (Cinder, Barbican, LVM)
{% hint style="info" %}
With the 2025.6-159 and above releases, Cinder API has integrated native support for volume encryption (covered in steps 6 and 7 in the Procedure section), removing the need for manual configuration. This release currently supports only basic (LUKS/plain) encryption.
{% endhint %}
### Procedure
1. Ensure Barbican is running and integrated with Keystone:
```bash
$ openstack service list | grep barbican
| [service-uuid] | barbican | key-manager |
```
2. Create an Encryption Key in Barbican.
```bash
$ openstack secret store \
--name luks-key \
--payload-content-type 'application/octet-stream' \
--payload-content-encoding base64 \
--payload "$(openssl rand -base64 32)"
## Sample Output
+---------------+------------------------------------------------------+
| Field | Value |
+---------------+------------------------------------------------------+
| Secret href | https://[PCD_FQDN]/barbican/v1/secrets/[secret-id] |
| Name | luks-key |
| Created | None |
| Status | None |
| Content types | {'default': 'application/octet-stream'} |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+------------------------------------------------------+
```
3. Create an Encrypted Volume Type
```
$ openstack volume type create luks-encrypted
+-------------+--------------------------------------+
| Field | Value |
+-------------+--------------------------------------+
| description | None |
| id | [Volume-Type-Id] |
| is_public | True |
| name | luks-encrypted |
+-------------+--------------------------------------+
```
{% hint style="info" %}
To run `cinder` commands, install `python-cinderclient==9.4.0`. In some OpenStack versions, the `openstack` CLI does not support creating encrypted volume types. In such cases, use the `cinder` CLI instead.
{% endhint %}
4. Associate Encryption with the Volume Type
```
$ ~/local/bin/cinder --os-volume-api-version 3.70 encryption-type-create luks-encrypted luks \
--cipher aes-xts-plain64 \
--key-size 256 \
--control-location front-end
+--------------------------------------+----------+-----------------+----------+-----------------+
| Volume Type ID | Provider | Cipher | Key Size | Control Location|
+--------------------------------------+----------+-----------------+----------+-----------------+
| [Volume-Type-Id] | luks | aes-xts-plain64 | 256 | front-end |
+--------------------------------------+----------+-----------------+----------+-----------------+
```
5. Confirm volume type and secret:
```
$ openstack volume type list
+--------------------------------------+----------------+-----------+
| ID | Name | Is Public |
+--------------------------------------+----------------+-----------+
| [Luks-Volume-Type-Id] | luks-encrypted | True |
| [Other-Volume-Type-Id] | lvm | True |
| [Other-Volume-Type-Id] | __DEFAULT__ | True |
+--------------------------------------+----------------+-----------+
$ openstack secret list -c "Secret href" -c Name -c Status -c Algorithm -c "Secret type" -c Mode
+--------------------------------------------------------+----------+--------+-----------+------------+------+
| Secret href | Name | Status | Algorithm | Secret type| Mode |
+--------------------------------------------------------+----------+--------+-----------+------------+------+
| https://[PCD_FQDN]/barbican/v1/secrets/[secret-uuid] | luks-key | ACTIVE | aes | opaque | cbc |
+--------------------------------------------------------+----------+--------+-----------+------------+------+
```
6. On the PCD GUI :angle-double-right:Select Cluster blueprint :angle-double-right:Edit desired volume :angle-double-right:add below properties :angle-double-right:save the blueprint.
encryption_cipher = aes-xts-plain64
target_ip_address = <IP-address>
encryption_key_size = 256
encryption_provider = luks
7. Configure the key manager in the `/opt/pf9/etc/pf9-cindervolume-base/conf.d/cinder.conf` on all cinder hosts.
```
[key_manager]
backend = barbican
```
8. After the above changes, restart the `pf9-cindervolume-base` service on all cinder hosts.
```
$ sudo systemctl restart pf9-cindervolume-base
```
9. Confirm whether the following highlighted configurations are present in the `/opt/pf9/etc/pf9-cindervolume-base/conf.d/cinder.conf` file:
[key_manager]
backend = barbican
[lvm2]
volume_driver = cinder.volume.drivers.lvm.LVMVolumeDriver
volume_backend_name = lvm2
pf9_identifier_timestamp = <timestamp>
lvm_type = default
volumes_dir = /opt/pf9/etc/pf9-cindervolume-base/volumes/
volume_group = cinder-volumes
target_protocol = iscsi
encryption_cipher = aes-xts-plain64
target_ip_address = <IP-address>
encryption_key_size = 256
encryption_provider = luks
10. Create Encrypted volume.
```
$ openstack volume create --size --type luks-encrypted
```
11. Confirm the Encryption status of the volume.
```
$ openstack volume show --fit
+--------------------------------+------------------------------------------------+
| Field | Value |
+--------------------------------+------------------------------------------------+
| ...... | |
| encryption_key_id | [ENCRYPTION_KEY_ID] |
| id | [VOLUME_ID] |
| name | [VOLUME_NAME] |
| ...... | |
| status | available |
| type | luks-encrypted |
| .. | |
| volume_type_id | [VOLUME_TYPE_ID] |
+--------------------------------+------------------------------------------------+
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://platform9.com/kb/pcd/storage/how-to-enable-luks-encryption-for-cinder-volumes.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.