)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"648c27c23fc86df70daaf174aa5b36b4c6c7c4c0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"ca35aa57_9c3a90ab","updated":"2024-05-22 16:58:14.000000000","message":"This is just a formatting comment.  The \"Use Cases\" section wasn\u0027t displaying properly in HTML, and I finally figured out how to make it work.  The explanation is here:\n\nhttps://paste.opendev.org/show/824208/\n\nBut as long as I got it working, I figured it would be easier to upload a new patch so you don\u0027t have to re-do it yourself.  Hope you don\u0027t mind.\n\nStill thinking about the content, but I think it mostly looks good.","commit_id":"64d0d62d9c11502a9fd2589c6a10d5c176ec8f59"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"f66ac8b226e39b3bad7b642aa45582fd7ac36dcd","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"44c8dfe8_b20e2765","updated":"2024-06-08 17:50:04.000000000","message":"I was going to say something about the relative strength of the \u0027passphrase\u0027 secret type vs. what cinder currently does, but that\u0027s an issue for whoever allows you to set the passphrase.  So I think this is OK.","commit_id":"10afe7bcb9db0b639b5ed4c9b5ffa1f12fdc18e0"},{"author":{"_account_id":13425,"name":"Simon Dodsley","email":"simon@purestorage.com","username":"sdodsley"},"change_message_id":"2d8d5f017f82d7b5d36df0130d1e9a8da48723f3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"212aa97a_a0d5d8d9","updated":"2024-06-07 20:56:03.000000000","message":"Looks OK to me now Brian has fixed the formatting","commit_id":"10afe7bcb9db0b639b5ed4c9b5ffa1f12fdc18e0"},{"author":{"_account_id":9236,"name":"Jon Bernard","email":"jobernar@redhat.com","username":"jbernard"},"change_message_id":"2d86e173fc3da51d969a20a5d0d67356dc09295e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"754441aa_aadb2592","updated":"2024-07-08 15:10:19.000000000","message":"This looks okay to me too.  Rajat - I think we can cover an additional questions you have in the Wednesday meeting, but I\u0027d like to get this in before freeze.","commit_id":"10afe7bcb9db0b639b5ed4c9b5ffa1f12fdc18e0"},{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"40b016b3f11bc662d7aec5741a819084df0d58d9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"ae151ea6_b7eb23f0","updated":"2024-07-02 16:16:33.000000000","message":"few questions inline","commit_id":"10afe7bcb9db0b639b5ed4c9b5ffa1f12fdc18e0"}],"specs/2024.2/LUKS-image-encryption.rst":[{"author":{"_account_id":27615,"name":"Rajat Dhasmana","email":"rajatdhasmana@gmail.com","username":"whoami-rajat"},"change_message_id":"40b016b3f11bc662d7aec5741a819084df0d58d9","unresolved":true,"context_lines":[{"line_number":75,"context_line":" option. This also needs to be handled when creating an encrypted volume"},{"line_number":76,"context_line":" from such an image."},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"| 2. Whenever an encrypted image is converted to an encrypted volume the secret"},{"line_number":79,"context_line":" should be copied to give Cinder full control over the life-cycle of the"},{"line_number":80,"context_line":" secret."},{"line_number":81,"context_line":"|"},{"line_number":82,"context_line":"|   2.1. The secret can be a key or a passphrase. The secret type"},{"line_number":83,"context_line":" classification in the Key-Manager will determine the key handling"}],"source_content_type":"text/x-rst","patch_set":3,"id":"dbe29134_9246b6b1","line":80,"range":{"start_line":78,"start_character":5,"end_line":80,"end_character":8},"updated":"2024-07-02 16:16:33.000000000","message":"If i understand correctly, if we want to create a encrypted bootable volume out of the glance image, we will first decrypt the glance image, decrypt the volume to provide a symlink to write image data, then copy the image data in the volume and close the volume decryptor. So there will always be single encryption and never double encryption (glance encryption + cinder encryption).\nAlso if the volume is encrypted, it will have it\u0027s own secret to decrypt it, are we going to keep 2 secrets, one for image and one for volume? When will the glance secret come into picture if we copy the decrypted glance image in the volume?","commit_id":"10afe7bcb9db0b639b5ed4c9b5ffa1f12fdc18e0"},{"author":{"_account_id":28271,"name":"Josephine Seifert","email":"josephine.seifert@cloudandheat.com","username":"josei"},"change_message_id":"808e28c7182efffebded8406a0ed032a8ebc0e74","unresolved":true,"context_lines":[{"line_number":75,"context_line":" option. This also needs to be handled when creating an encrypted volume"},{"line_number":76,"context_line":" from such an image."},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"| 2. Whenever an encrypted image is converted to an encrypted volume the secret"},{"line_number":79,"context_line":" should be copied to give Cinder full control over the life-cycle of the"},{"line_number":80,"context_line":" secret."},{"line_number":81,"context_line":"|"},{"line_number":82,"context_line":"|   2.1. The secret can be a key or a passphrase. The secret type"},{"line_number":83,"context_line":" classification in the Key-Manager will determine the key handling"}],"source_content_type":"text/x-rst","patch_set":3,"id":"c6442b96_9a6ef422","line":80,"range":{"start_line":78,"start_character":5,"end_line":80,"end_character":8},"in_reply_to":"dbe29134_9246b6b1","updated":"2024-07-03 12:55:34.000000000","message":"There will be two ways to create an encrypted volume from an encrypted image.\n\n1. The image is raw -\u003e it will just be copied (this is already done as part of Cinder, when Cinder is using images that were created from encrypted volumes). In this case the key remains the same, but for the sake of better life-cycle control over the key: the key is copied and its new uuid used in the new volume.\n\n2. The image is encrypted qcow -\u003e A simple approach would be using qemu convert to convert the qcow image to an LUKS encrypted raw image, that could then use the same workflow as in case 1. Another option would be to give qemu convert a block device (Cinder volume), which could be used as a target to stream the data into. Both options will need the glance key to decrypt and another key to encrypt the data. A workflow can be seen here: https://github.com/SovereignCloudStack/standards/issues/560#issuecomment-2206005620\n\nInterestingly a re-keying is possible when using qemu convert, which would result in having different Keys for the image and the volume. This might be something we want to use.\n\nConclusion: We are going to keep 2 secrets - that might or might not be copies of each other.","commit_id":"10afe7bcb9db0b639b5ed4c9b5ffa1f12fdc18e0"}]}