OpenStack Encryption

A frequent topic if discussion with our public cloud service is OpenStack encryption.  Customers have been looking for the ability to automatically encrypt their data including data at rest.   This feature became readily available with OpenStack Newton and has been further improved with OpenStack Ocata.  For may companies, agencies, and honestly any user today, encryption is required.   Just speaking for myself, any new device or laptop I get one of the first steps I take is to make sure my data is encrypted – i.e. bit locker, etc.  In the past this particular capability was a requirement for large enterprises, government agencies and other organizations looking at new storage systems.


OpenStack Encryption

So, how’s data encryption work with OpenStack Object Storage, also known as Swift.  Since the Newton release, users can turn on at-rest data encryption whenever they setup a new cluster or enable the feature for existing nodes to automatically secure object data as well as metadata.  This is important because regardless of what happens to that data you are protected. For example, say a hard drive in the Swift cluster gets replaced the end user or business doesn’t have to worry about that information and whether it will be leaked or accessible.  With encryption enabled, data owners are protected against unauthorized parties gaining access to data when the user sends back the drives, he said.

A separate use case of encryption, and something the Swift teams sought to remedy was inventory mistakes.   With at-rest data encryption, someone could remove a drive from a Swift node in a cluster, lose it and in turn plug it into another server without first erasing the drive.  With encryption enabled, there are no issues whatsoever.

Let’s look at bit further into how it works.  Swift is built on a two-tier architecture includes a proxy server and storage nodes.  The proxy server runs the API and is the “traffic director” handling the data requests and how the nodes persistently store the data.  Encryption utilizes the advanced encryption standard using 256-bit encryption in the proxy server.

It should be noted that Swift’s 256-bit standard is well within the industry standard but Swift isn’t compliant with another standard called FIPs.  By default FIPs, or the Federal Information Processing Standards, isn’t supported but Swift does include all the necessary methods within the code to enable FIPS 140-2 certification.



Please enter your comment!
Please enter your name here