OpenStack services such as Cinder are offering encryption for volumes, an off-shoot implementation for Swift exists, Glance is a logical next candidate. Encryption involves keys, their creation, access control, and secure maintenance. Several blueprints touch on it. Let us design and develop a high availability solution. Perhaps a sub-service of Keystone (on par with Identity). With PKI tokens and X509 certificates in OpenStack now, the encryption keys could be encoded before being saved, for example, a volume encryption key would be "owned" by Cinder, so it could be encoded using Cinder's public-key. //key//. Would it be useful to have a reference count associated with keys, when all objects associated with it deleted, the key may be deleted. Support key caching on the services to reduce chattiness with Keystone.
