cinder/releasenotes/notes/transfer-encrypted-volume-2f040a6993435e79.yaml
Alan Bishop d59e41fb3c Add support for transferring encrypted volumes
A new microversion 3.70 adds the ability to transfer a volume's
encryption key when transferring a volume to another project.

When the volume transfer is initiated, the volume's encryption
secret is essentially transferred to the cinder service.
- The cinder service creates a new encryption_key_id that contains
  a copy of the volume's encryption secret.
- The volume (and its snapshots) is updated with the new
  encryption_key_id (the one owned by the cinder service).
- The volume's original encryption_key_id (owned by the volume's
  owner) is deleted.

When the transfer is accepted, the secret is transferred to the
user accepting the transfer.
- A new encryption_key_id is generated on behalf of the new user
  that contains a copy of the volume's encryption secret.
- The volume (and its snapshots) is updated with the new
  encryption_key_id (the one owned by the user).
- The intermediate encryption_key_id owned by the cinder service
  is deleted.

When a transfer is cancelled (deleted), the same process is used
to transfer ownship back to the user that cancelled the transfer.

Implements: blueprint transfer-encrypted-volume
Change-Id: I459f06504e90025c9c0b539981d3d56a2a9394c7
2022-08-26 06:32:41 -07:00

9 lines
377 B
YAML

---
features:
- |
Starting with API microversion 3.70, encrypted volumes can be transferred
to a user in a different project. Prior to microversion 3.70, the transfer
is blocked due to the inability to transfer ownership of the volume's
encryption key. With microverson 3.70, ownership of the encryption key is
transferred when the volume is transferred.