Without doubt, security is one of the most important concerns for your enterprise – and so should it be for your OpenStack cloud. Encryption not only helps to protect your data, but also ensure compliance.
Starting with the Ocata release of OpenStack, the NetApp Cinder driver supports NetApp’s software-based Volume Encryption (NVE) which allows you to encrypt on a per volume basis for greater flexibility, for example, when you need to encrypt certain volumes and not the entire storage array. While it’s recommended to get the latest NetApp driver through your OpenStack distribution, you can also find it on the upstream OpenStack repository: https://github.com/openstack/cinder
Configuring NVE requires you to install the associated license and enabling onboard key management. Before installing the license, you should determine whether your ONTAP version supports NVE. For full support matrix, please refer to the online documentation here: https://goo.gl/oZ5npb. You can also find some really good details on it and the benefits that it brings to the table in the ONTAP 9 documentation, the NetApp Encryption Power Guide, and this Tech ONTAP Podcast.
From an OpenStack perspective, it’s actually pretty easy to set up!
Once you have volume encryption enabled on a backend, all that you need to do is set the netapp_flexvol_encryption extra-spec to ‘true’ for a new or existing volume-type.
Here’s an example of how you can create a new volume type with the netapp_flexvol_encryption extra-spec:
$ cinder type-create encrypted
$ cinder type-key encrypted set netapp_flexvol_encryption=true
Once that’s done, you can leverage this volume type to create encrypted Cinder volumes either through the ‘cinder create’ command, or through the Horizon dashboard.
That’s it! It’s really that simple!
You can now have data-at-rest encryption with NVE, in addition to the existing encryption solution provided by Cinder: https://docs.openstack.org/security-guide/tenant-data/data-encryption.html. Combining the two solutions can help enforce security for data in-transmission and at rest, thus ensuring that your data cannot be read even if the underlying device is lost, stolen, or repurposed.
So go ahead and give it a try to see how NetApp’s Volume Encryption can bring security to your OpenStack cloud without sacrificing flexibility and performance!