November 6-8, 2017

Event Details

Simpler Encrypted Volume Management with Tang

OpenStack currently implements encryption of Cinder volumes using Castellan-based key managers. However, requiring a key escrow can be difficult to manage and error prone, making features like bring-your-own-key quite difficult. Further, efforts to solve this problem by implementing a push model end up requiring invasive OpenStack API changes.

A much simpler solution is available using Tang, an easy and secure alternative to key escrow.  A Tang server implements the McCallum-Relyea key exchange, which ensures that the volume cannot be decrypted without access to the Tang server. Tang provides a protocol in which the server has zero knowledge of keys, does not require SSL/TLS or authentication and is highly performant.

In this talk, we'll show how volume encryption can be implemented using Tang instead of key escrow. We'll also show how bring-your-own key can be implemented by having an on-premises, lightweight Tang server.

What can I expect to learn?

In this talk we will discover how Castellan-based key managers, such as Barbican, interact with Cinder and Nova. Then, we will discuss the recent advancement in the field of key management - known as the Elliptic Curve McCallum-Relyea exchange - and outline its cryptographic properties. Finally, we will discuss the use of this technique to deliver important features such as bring-your-own-key.

Tuesday, November 7, 3:50pm-4:00pm
Level: Intermediate
Red Hat
Ade works for Red Hat, and has been involved in various security and OpenStack projects (Dogtag, FreeIPA, Barbican, TripleO) for several years.  He is the current Barbican PTL. FULL PROFILE