I've tried to configure an encrypted volume based on the process outlined here:
https://docs.openstack.org/liberty/config-reference/content/section_create-encrypted-volume-type.html (couldn't find equivalent link for mitaka)
It resulted in creating the volume within cinder (using a charmed ceph backend), however, when attempting to attach to a nova-compute instance, I receive the following traceback, which shows that the keymgr api is not configured by the charm per this reference:
https://docs.openstack.org/mitaka/config-reference/block-storage/volume-encryption.html
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] Traceback (most recent call last):
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] File "/usr/lib/python2.7/dist-packages/nova/virt/libvirt/driver.py", line 1345, in attach_volume
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] encryption)
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] File "/usr/lib/python2.7/dist-packages/nova/virt/libvirt/driver.py", line 1286, in _get_volume_encryptor
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] **encryption)
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] File "/usr/lib/python2.7/dist-packages/nova/volume/encryptors/__init__.py", line 34, in get_volume_encryptor
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] encryptor = nop.NoOpEncryptor(connection_info, **kwargs)
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] File "/usr/lib/python2.7/dist-packages/nova/volume/encryptors/nop.py", line 28, in __init__
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] super(NoOpEncryptor, self).__init__(connection_info, **kwargs)
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] File "/usr/lib/python2.7/dist-packages/nova/volume/encryptors/base.py", line 35, in __init__
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] self._key_manager = keymgr.API()
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] File "/usr/lib/python2.7/dist-packages/nova/keymgr/__init__.py", line 33, in API
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] return cls()
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] File "/usr/lib/python2.7/dist-packages/nova/keymgr/conf_key_mgr.py", line 58, in __init__
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] raise ValueError(_('keymgr.fixed_key not defined'))
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] ValueError: keymgr.fixed_key not defined
nova-compute.log-2017-08-04 23:21:41.229 588061 ERROR nova.virt.libvirt.driver [instance: e74d5610-8521-4d6d-a05d-a68ac3020058]
nova-compute.log:2017-08-04 23:21:41.232 588061 ERROR nova.virt.block_device [req-15cb8edd-d101-4099-a776-569db18b3231 1d3dd7410c33419aac94508264038c89 1fa839daef4d4dac9dc0576ae9420453 - - -] [instance: e74d5610-8521-4d6d-a05d-a68ac3020058] Driver failed to attach volume 31b44efe-ec93-43d3-9800-f658ec6dae23 at /dev/vdb
Running trusty/Mitaka bootstack cloud with:
cinder 2:8.1.1-0ubuntu3~cloud0
nova-compute 2:13.1.4-0ubuntu1~cloud0
recently updated to openstack-charms/17.02
Confirming that currently encrypted volumes are not supported by the cinder or barbican charms. Barbican is required but the Barbican charm currently doesn't support integrating with cinder.