-
Epic
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
[RFE] Rotating encryption keys in-place without retyping for detached volumes
-
False
-
False
-
0
-
0%
-
Undefined
Description of problem:
Customer name: Detecon Al Saudia
TAM : NO
Customer is expecting Volume encryption key rotation
How to rotate pkek. (Doc refers to rewrapping of pkek using mkek after mkek rotation but not the rotation of pkek itself):
--> As per the document pkek rotates when you rotate the MKEK, there is no provision to rotate pkek itself as of now
~~~
Re-deploy using director to apply the update. Director checks whether the keys that are labelled for the MKEK and HMAC exist, and then creates them. In addition, with the BarbicanPkcs11CryptoRewrapKeys parameter set to True, director calls barbican-manage hsm pkek_rewrap to rewrap all existing pKEKs.
~~~
As per our #rhos-tech internal discussion, it looks like there isn't any support for rotating encryption keys in place at the
moment.
The only way of doing this at present would be to retype the volume between encrypted volume types. This should result in a new encrypted volume being created with a fresh key and the decrypted data being copied across.
Doing this in-place for detached volumes without the need to retype is what Customer needs as a features.
Actual results:
Cannot rotate encryption keys in place for detached volumes
Expected results:
Should be able to rotate the volume encryption keys without retyping for detached volumes.
Additional info:
Please refer to the mail thread on #rhos-tech list:
Subj: [rhos-tech][RHOSP15] Is it possible to rotate volume encryption key?
- external trackers