[openstack-dev] [Fuel] Add support for Keystone's Fernet encryption keys management: initialization, rotation

Adam Heczko aheczko at mirantis.com
Thu Jul 16 14:22:45 UTC 2015

Hi Folks,
Keystone supports Fernet tokens which have payload encrypted by AES 128 bit
Although AES 128 bit key looks secure enough for most OpenStack deployments
[2], one may would like to rotate encryption keys according to already
proposed 3 step key rotation scheme (in case keys get compromised or
organizational security policy requirement).
Also creation and initial AES key distribution between Keystone HA nodes
could be challenging and this complexity could be handled by Fuel
deployment tool.

In regards to Fuel, I'd like to:
1. Add support for initializing Keystone's Fernet signing keys to Fuel
during OpenStack cluster (Keystone) deployment
2. Add support for rotating Keystone's Fernet signing keys to Fuel
according to some automatic schedule (for example one rotation per week) or
triggered from the Fuel web user interface or through Fuel API.

These two capabilities will be implemented in Fuel by related blueprint [1].

[1] https://blueprints.launchpad.net/fuel/+spec/fernet-tokens-support
[2] http://www.eetimes.com/document.asp?doc_id=1279619


Adam Heczko
Security Engineer @ Mirantis Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150716/fa278ae0/attachment.html>

More information about the OpenStack-dev mailing list