Liberty -  Liberty -  Liberty -  Liberty -  Liberty -  Liberty -  Liberty -  Liberty - 

 Testing volume encryption

This is a simple test scenario to help validate your encryption. It assumes an LVM based Block Storage server.

Perform these steps after completing the volume encryption setup and creating the volume-type for LUKS as described in the preceding sections.

  1. Create a VM:

    $ nova boot --flavor m1.tiny --image cirros-0.3.1-x86_64-disk vm-test
  2. Create two volumes, one encrypted and one not encrypted then attach them to your VM:

    $ cinder create --display-name 'unencrypted volume' 1
    $ cinder create --display-name 'encrypted volume' --volume-type LUKS 1
    $ cinder list
    +--------------------------------------+-----------+--------------------+------+-------------+----------+-------------+
    |                  ID                  |   Status  |        Name        | Size | Volume Type | Bootable | Attached to |
    +--------------------------------------+-----------+--------------------+------+-------------+----------+-------------+
    | 64b48a79-5686-4542-9b52-d649b51c10a2 | available | unencrypted volume |  1   |     None    |  false   |             |
    | db50b71c-bf97-47cb-a5cf-b4b43a0edab6 | available |  encrypted volume  |  1   |     LUKS    |  false   |             |
    +--------------------------------------+-----------+--------------------+------+-------------+----------+-------------+
    $ nova volume-attach vm-test 64b48a79-5686-4542-9b52-d649b51c10a2 /dev/vdb
    $ nova volume-attach vm-test db50b71c-bf97-47cb-a5cf-b4b43a0edab6 /dev/vdc
  3. On the VM, send some text to the newly attached volumes and synchronize them:

    # echo "Hello, world (unencrypted /dev/vdb)" >> /dev/vdb
    # echo "Hello, world (encrypted /dev/vdc)" >> /dev/vdc
    # sync && sleep 2
    # sync && sleep 2
  4. On the system hosting cinder volume services, synchronize to flush the I/O cache then test to see if your strings can be found:

    # sync && sleep 2
    # sync && sleep 2
    # strings /dev/stack-volumes/volume-* | grep "Hello"
    Hello, world (unencrypted /dev/vdb)

In the above example you see that the search returns the string written to the unencrypted volume, but not the encrypted one.

Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

loading table of contents...