[openstack-dev] [Trove] Backup/Restore encryption/decryption issue
Denis Makogon
dmakogon at mirantis.com
Wed Feb 5 16:01:35 UTC 2014
Goodday, OpenStack DВaaS community.
I'd like to start conversation about guestagent security issue related
to backup/restore process. Trove guestagent service uses AES with 256 bit
key (in CBC mode) [1] to encrypt backups which are stored at predefined
Swift container.
As you can see, password is defined in config file [2]. And here comes
problem, this password is used for all tenants/projects that use Trove - it
is a security issue. I would like to suggest Key derivation function [3]
based on static attributes specific for each tenant/project (tenant_id).
KDF would be based upon python implementation of PBKDF2 [4]. Implementation
can be seen here [5].
Also i'm looking forward to give user an ability to pass password for
KDF that would deliver key for backup/restore encryption/decryption, if
ingress password (from user) will be empty, guest will use static
attributes of tenant (tenant_id).
To allow backward compatibility, python-troveclient should be able to pass
old password [1] to guestagent as one of parameters on restore call.
Blueprint already have been registered in Trove launchpad space, [6].
I also foresee porting this feature to oslo-crypt, as part of security
framework (oslo.crypto) extensions.
Thoughts ?
[1]
https://github.com/openstack/trove/blob/master/trove/guestagent/strategies/backup/base.py#L113-L116
[2]
https://github.com/openstack/trove/blob/master/etc/trove/trove-guestagent.conf.sample#L69
[3] http://en.wikipedia.org/wiki/Key_derivation_function
[4] http://en.wikipedia.org/wiki/PBKDF2
[5] https://gist.github.com/denismakogon/8823279
[6] https://blueprints.launchpad.net/trove/+spec/backup-encryption
Best regards,
Denis Makogon
Mirantis, Inc.
Kharkov, Ukraine
www.mirantis.com
www.mirantis.ru
dmakogon at mirantis.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140205/29e4fb1f/attachment.html>
More information about the OpenStack-dev
mailing list