[openstack-dev] [Fuel] Add support for Keystone's Fernet encryption keys management: initialization, rotation
davanum at gmail.com
Thu Jul 16 15:29:44 UTC 2015
For 1, do we let user configure max_active_keys? what's the default?
Please note that there is a risk that an active token may be
invalidated if Fernet key rotation removes keys early. So that's a
potential issue to keep in mind (relation of token expiry to period of
On Thu, Jul 16, 2015 at 10:22 AM, Adam Heczko <aheczko at mirantis.com> wrote:
> Hi Folks,
> Keystone supports Fernet tokens which have payload encrypted by AES 128 bit
> Although AES 128 bit key looks secure enough for most OpenStack deployments
> , one may would like to rotate encryption keys according to already
> proposed 3 step key rotation scheme (in case keys get compromised or
> organizational security policy requirement).
> Also creation and initial AES key distribution between Keystone HA nodes
> could be challenging and this complexity could be handled by Fuel deployment
> In regards to Fuel, I'd like to:
> 1. Add support for initializing Keystone's Fernet signing keys to Fuel
> during OpenStack cluster (Keystone) deployment
> 2. Add support for rotating Keystone's Fernet signing keys to Fuel according
> to some automatic schedule (for example one rotation per week) or triggered
> from the Fuel web user interface or through Fuel API.
> These two capabilities will be implemented in Fuel by related blueprint .
>  https://blueprints.launchpad.net/fuel/+spec/fernet-tokens-support
>  http://www.eetimes.com/document.asp?doc_id=1279619
> Adam Heczko
> Security Engineer @ Mirantis Inc.
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
Davanum Srinivas :: https://twitter.com/dims
More information about the OpenStack-dev