November 6-8, 2017

Event Details

Please note: All times listed below are in Central Time Zone

Simpler Encrypted Volume Management with Tang

OpenStack currently implements encryption of Cinder volumes using Castellan-based key managers. However, requiring a key escrow can be difficult to manage and error prone, making features like bring-your-own-key quite difficult. Further, efforts to solve this problem by implementing a push model end up requiring invasive OpenStack API changes.

A much simpler solution is available using Tang, an easy and secure alternative to key escrow.  A Tang server implements the McCallum-Relyea key exchange, which ensures that the volume cannot be decrypted without access to the Tang server. Tang provides a protocol in which the server has zero knowledge of keys, does not require SSL/TLS or authentication and is highly performant.

In this talk, we'll show how volume encryption can be implemented using Tang instead of key escrow. We'll also show how bring-your-own key can be implemented by having an on-premises, lightweight Tang server.

What can I expect to learn?

In this talk we will discover how Castellan-based key managers, such as Barbican, interact with Cinder and Nova. Then, we will discuss the recent advancement in the field of key management - known as the Elliptic Curve McCallum-Relyea exchange - and outline its cryptographic properties. Finally, we will discuss the use of this technique to deliver important features such as bring-your-own-key.

Tuesday, November 7, 3:50pm-4:00pm (4:50am - 5:00am UTC)
Difficulty Level: Intermediate
Red Hat
Ade works for Red Hat, and has been involved in various security and OpenStack projects (Dogtag, FreeIPA, Barbican, TripleO) for several years.  He is a former Barbican PTL.  Most recently, he's been working on FIPS compliance in OpenStack. FULL PROFILE