search

How to Enable LUKS Encryption for Cinder Volumes?

hashtag
Problem

How to implement LUKS encryption for Cinder volume backends to enhance data security by encrypting storage volumes at rest.. This ensures that sensitive data remains protected, even if the underlying storage devices are compromised.

hashtag
Environment

  • Private Cloud Director Virtualisation - v2025.4 and Higher.

  • Self-Hosted Private Cloud Director Virtualisation – v2025.4 and Higher.

  • Component - Storage (Cinder, Barbican, LVM)

circle-info

With the 2025.6-159 and above releases, Cinder API has integrated native support for volume encryption (covered in steps 6 and 7 in the Procedure section), removing the need for manual configuration. This release currently supports only basic (LUKS/plain) encryption.

hashtag
Procedure

  1. Ensure Barbican is running and integrated with Keystone:

    $ openstack service list | grep barbican
| [service-uuid] | barbican       | key-manager    |

  2. Create an Encryption Key in Barbican.

    $ openstack secret store \
  --name luks-key \
  --payload-content-type 'application/octet-stream' \
  --payload-content-encoding base64 \
  --payload "$(openssl rand -base64 32)"
## Sample Output
+---------------+------------------------------------------------------+
| Field         | Value                                                |
+---------------+------------------------------------------------------+
| Secret href   | https://[PCD_FQDN]/barbican/v1/secrets/[secret-id]   |
| Name          | luks-key                                             |
| Created       | None                                                 |
| Status        | None                                                 |
| Content types | {'default': 'application/octet-stream'}              |
| Algorithm     | aes                                                  |
| Bit length    | 256                                                  |
| Secret type   | opaque                                               |
| Mode          | cbc                                                  |
| Expiration    | None                                                 |
+---------------+------------------------------------------------------+

  3. Create an Encrypted Volume Type

    $ openstack volume type create luks-encrypted
+-------------+--------------------------------------+
| Field       | Value                                |
+-------------+--------------------------------------+
| description | None                                 |
| id          | [Volume-Type-Id]                     |
| is_public   | True                                 |
| name        | luks-encrypted                       |
+-------------+--------------------------------------+
circle-info

To run cinder commands, install python-cinderclient==9.4.0. In some OpenStack versions, the openstack CLI does not support creating encrypted volume types. In such cases, use the cinder CLI instead.

  1. Associate Encryption with the Volume Type

  2. Confirm volume type and secret:

  3. On the PCD GUI angle-double-rightSelect Cluster blueprint angle-double-rightEdit desired volume angle-double-rightadd below properties angle-double-rightsave the blueprint.

  4. Configure the key manager in the /opt/pf9/etc/pf9-cindervolume-base/conf.d/cinder.conf on all cinder hosts.

  5. After the above changes, restart the pf9-cindervolume-base service on all cinder hosts.

  6. Confirm whether the following highlighted configurations are present in the /opt/pf9/etc/pf9-cindervolume-base/conf.d/cinder.conf file:

  7. Create Encrypted volume.

  8. Confirm the Encryption status of the volume.

PreviousCinder Driver Fails to Decrypt Storage Passwords set via BlueprintNextVolume Services Flapping Due to EADDRINUSE in pf9-comms Service

Last updated