At-rest Encryption in OpenStack Swift
Thursday 4:35 p.m.–5:20 p.m.
Target audience: Developer
Recently, the OpenStack Swift project released a feature that implements server-side encryption. The feature is designed to protect user data from being exposed if drives were to leave the cluster, something that can happen intentionally through an RMA process or unintentionally from mistakes or malicious intent. If drives leave the cluster, we want to be sure that the users' data is protected and impossible to recover. Swift's at-rest encryption feature encrypts user data and metadata with AES using a unique key for every object stored.
In this talk, we will cover the details of how the server-side encryption works, including the on-disk format, and we'll dig into the key-management used. Also, we'll discuss the ways in which this feature can be improved to support more advanced functionality and more robust key management.
John has been working on the Swift object storage engine since 2009. Swift became one of the founding projects in OpenStack in 2010, and John has served as Swift's Project Technical Lead since 2011.