The Must-Attend

Open Infrastructure Event

The world runs on open infrastructure. At the OpenStack Summit, you’ll learn about the mix of open technologies building the modern infrastructure stack, including OpenStack, Kubernetes, Docker, Ansible, Ceph, OVS, OpenContrail, OPNFV, and more. Whether you are pursuing a private, public or multi-cloud approach, the OpenStack Summit is the place to network, skill up and plan your cloud strategy.

Sydney
November 6-8, 2017

The Must-Attend

Open Infrastructure Event

Join the movement behind the most widely deployed open source cloud platform. Whether you are pursuing a private, hybrid or multi-cloud approach, the OpenStack Summit is the place to network, skill up and plan your cloud strategy.

Sydney
November 6-8, 2017

Event Details


Simpler Encrypted Volume Management with Tang

OpenStack currently implements encryption of Cinder volumes using Castellan-based key managers. However, requiring a key escrow can be difficult to manage and error prone, making features like bring-your-own-key quite difficult. Further, efforts to solve this problem by implementing a push model end up requiring invasive OpenStack API changes.

A much simpler solution is available using Tang, an easy and secure alternative to key escrow.  A Tang server implements the McCallum-Relyea key exchange, which ensures that the volume cannot be decrypted without access to the Tang server. Tang provides a protocol in which the server has zero knowledge of keys, does not require SSL/TLS or authentication and is highly performant.

In this talk, we'll show how volume encryption can be implemented using Tang instead of key escrow. We'll also show how bring-your-own key can be implemented by having an on-premises, lightweight Tang server.


What can I expect to learn?

In this talk we will discover how Castellan-based key managers, such as Barbican, interact with Cinder and Nova. Then, we will discuss the recent advancement in the field of key management - known as the Elliptic Curve McCallum-Relyea exchange - and outline its cryptographic properties. Finally, we will discuss the use of this technique to deliver important features such as bring-your-own-key.

Tuesday, November 7, 3:50pm-4:00pm
Will be recorded
Level: Intermediate
Principal Software Engineer
Nathaniel McCallum is a Principal Software Engineer at Red Hat where he develops security related technologies. If you're looking for someone to blame for software projects such as FreeOTP, José, Clevis and Tang, Nathaniel is the guy. He also regularly breaks projects such as FreeIPA and MIT Kerberos with his "contributions." Not satisfied with unleashing poor software on the world, he... FULL PROFILE
Red Hat
Ade works for Red Hat, and has been involved in Dogtag development (and its integration into FreeIPA) for a number of years now. He has worked to integrate Dogtag and FreeIPA with Openstack, and is a core contributor to the Barbican project. Most recently, he has worked on puppet modules to deploy Barbican in Triple-O and RDO. FULL PROFILE