The nova.keymgr.key_mgr Module

Key manager API

class KeyManager

Bases: object

Base Key Manager Interface

A Key Manager is responsible for managing encryption keys for volumes. A Key Manager is responsible for creating, reading, and deleting keys.

copy_key(ctxt, key_id, **kwargs)

Copies (i.e., clones) a key stored by the key manager.

This method copies the specified key and returns the copy’s UUID. If the specified context does not permit copying keys, then a NotAuthorized error should be raised.

Implementation note: This method should behave identically to:

store_key(context, get_key(context, <encryption key UUID>))

although it is preferable to perform this operation within the key manager to avoid unnecessary handling of the key material.

create_key(ctxt, algorithm='AES', length=256, expiration=None, **kwargs)

Creates a key.

This method creates a key and returns the key’s UUID. If the specified context does not permit the creation of keys, then a NotAuthorized exception should be raised.

delete_key(ctxt, key_id, **kwargs)

Deletes the specified key.

Implementations should verify that the caller has permission to delete the key by checking the context object (ctxt). A NotAuthorized exception should be raised if the caller lacks permission.

If the specified key does not exist, then a KeyError should be raised. Implementations should preclude users from discerning the UUIDs of keys that belong to other users by repeatedly calling this method. That is, keys that belong to other users should be considered “non- existent” and completely invisible.

get_key(ctxt, key_id, **kwargs)

Retrieves the specified key.

Implementations should verify that the caller has permissions to retrieve the key by checking the context object passed in as ctxt. If the user lacks permission then a NotAuthorized exception is raised.

If the specified key does not exist, then a KeyError should be raised. Implementations should preclude users from discerning the UUIDs of keys that belong to other users by repeatedly calling this method. That is, keys that belong to other users should be considered “non- existent” and completely invisible.

store_key(ctxt, key, expiration=None, **kwargs)

Stores (i.e., registers) a key with the key manager.

This method stores the specified key and returns its UUID that identifies it within the key manager. If the specified context does not permit the creation of keys, then a NotAuthorized exception should be raised.