November 6-8, 2017

Event Details

Simpler Encrypted Volume Management with Tang

OpenStack currently implements encryption of Cinder volumes using Castellan-based key managers. However, requiring a key escrow can be difficult to manage and error prone, making features like bring-your-own-key quite difficult. Further, efforts to solve this problem by implementing a push model end up requiring invasive OpenStack API changes.

A much simpler solution is available using Tang, an easy and secure alternative to key escrow.  A Tang server implements the McCallum-Relyea key exchange, which ensures that the volume cannot be decrypted without access to the Tang server. Tang provides a protocol in which the server has zero knowledge of keys, does not require SSL/TLS or authentication and is highly performant.

In this talk, we'll show how volume encryption can be implemented using Tang instead of key escrow. We'll also show how bring-your-own key can be implemented by having an on-premises, lightweight Tang server.

What can I expect to learn?

In this talk we will discover how Castellan-based key managers, such as Barbican, interact with Cinder and Nova. Then, we will discuss the recent advancement in the field of key management - known as the Elliptic Curve McCallum-Relyea exchange - and outline its cryptographic properties. Finally, we will discuss the use of this technique to deliver important features such as bring-your-own-key.

Tuesday, November 7, 3:50pm-4:00pm
Level: Intermediate
Red Hat
Ade works for Red Hat, and has been involved in Dogtag development (and its integration into FreeIPA) for a number of years now. He has worked to integrate Dogtag and FreeIPA with Openstack, and is a core contributor to the Barbican project. Most recently, he has worked on puppet modules to deploy Barbican in Triple-O and RDO. FULL PROFILE