Skip to main content

Overview

Xloud Block Storage provides several hardening controls that restrict unauthorized access to sensitive storage resources, limit resource abuse, and maintain an auditable record of storage operations. Apply these controls after completing the initial service configuration to meet compliance and security baseline requirements.
Administrator Access Required — This operation requires the admin role. Contact your Xloud administrator if you do not have sufficient permissions.
Prerequisites
  • Administrator credentials with the admin role
  • Volume types and backends already configured
  • CLI authenticated via source admin-openrc.sh

Security Controls Overview

ControlPurposeImpact
Volume type access restrictionLimit sensitive types (encrypted, high-performance) to specific projectsPrevents unauthorized access to premium tiers
Minimum volume sizeRequire a minimum GiB per volumeReduces storage fragmentation
Snapshot visibilityPrevent public snapshotsStops data leakage across project boundaries
Volume encryptionAt-rest protection via LUKSProtects data on stolen or decommissioned hardware
Audit loggingAPI request loggingProvides evidence for compliance audits

Restrict Volume Type Access

By default, volume types are accessible to all projects. Restrict sensitive or high-performance types to specific authorized projects:

Navigate to Volume Types

Log in to the Xloud Dashboard (https://connect.<your-domain>) and navigate to Admin → Volumes → Volume Types.

Make the type private

Click the type name, then click Edit Volume Type. Set Access to Private and save.

Grant access to authorized projects

In the volume type details, click Manage Access. Select the authorized projects and click Add Access.

Enforce Minimum Volume Size

Prevent creation of many small volumes that fragment storage capacity and inflate volume counts against quota:
Set minimum volume size for a project
openstack quota set \
  --per-volume-gigabytes 10 \
  <project-id>
A value of 10 requires every volume to be at least 10 GiB. Adjust based on your workload profile. Set globally with --class default to apply to all new projects:
Set global minimum volume size
openstack quota set \
  --per-volume-gigabytes 5 \
  --class default

Manage Snapshot Visibility

Snapshots can be set to public, making them visible and accessible to all projects. Audit and restrict public snapshots to prevent unintended data exposure:
List public snapshots across all projects
openstack volume snapshot list --all-projects \
  --property visibility=public
Make a public snapshot private
openstack volume snapshot set --private <snapshot-id>
Public snapshots expose volume data to all projects in your deployment. Audit public snapshots regularly and make them private unless cross-project sharing is explicitly required.

Enable Volume Encryption

Configure at-rest encryption on sensitive volume types to protect data on storage media. Encryption is transparent to users — all I/O is encrypted/decrypted at the hypervisor layer without application changes. Refer to the Volume Encryption guide for full configuration instructions.

Audit Logging

The Block Storage service logs all API requests including volume creation, deletion, attachment, and snapshot operations. Review service logs via XDeploy for security audits.
EventLog PatternSecurity Significance
Volume deletionDELETE /volumes/<id>Data destruction
Volume type creationPOST /typesNew storage tier added
Snapshot made publicPUT /snapshots/<id> with visibility=publicPotential data exposure
Quota increasePUT /os-quota-sets/<project>Resource limit change
Volume migrationPOST /volumes/<id>/actionData movement
Enable verbose API logging on the Block Storage service for detailed audit trails:Access the volume service configuration via XDeploy and add debug = True to the [DEFAULT] section. Apply configuration changes and restart the service.
Debug logging is verbose and generates significant log volume. Enable only during active security audits and disable promptly when finished.

Security Checklist

Deployment security baseline

Verify the following after initial Block Storage deployment:
  • All encrypted volume types are set to private and scoped to authorized projects
  • Public snapshot count is zero (or justified exceptions documented)
  • Minimum volume size configured per project to prevent fragmentation
  • Volume encryption enabled for any compliance-sensitive data tiers
  • Key Management service deployed with HA for encrypted volume availability
  • Service logs reviewed for anomalous patterns after first week of operation
  • Storage backend credentials (keyring files) have 0600 permissions on disk
  • Backup target credentials stored in passwords.yml (not in configuration files)

Next Steps

Volume Encryption

Configure LUKS-based at-rest encryption for volume types

Quota Management

Enforce storage limits to prevent resource exhaustion

Volume Types & QoS

Restrict volume type access to authorized projects

Admin Guide

Return to the Block Storage administration overview