[openstack-dev] [Fuel] Add support for Keystone's Fernet encryption keys management: initialization, rotation

Dolph Mathews dolph.mathews at gmail.com
Thu Jul 16 15:33:25 UTC 2015 

On Thu, Jul 16, 2015 at 10:29 AM, Davanum Srinivas <davanum at gmail.com>
wrote:

> Adam,
>
> For 1, do we let user configure max_active_keys? what's the default?
>

The default in keystone is 3, simply to support having one key in each of
the three phases of rotation. You can increase it from there per your
desired rotation frequency and token lifespan.


>
> Please note that there is a risk that an active token may be
> invalidated if Fernet key rotation removes keys early. So that's a
> potential issue to keep in mind (relation of token expiry to period of
> key rotation).
>

Keystone's three phase rotation scheme avoids this by allowing you to
pre-stage keys across the cluster before using them for encryption.


>
> thanks,
> dims
>
>
> On Thu, Jul 16, 2015 at 10:22 AM, Adam Heczko <aheczko at mirantis.com>
> wrote:
> > Hi Folks,
> > Keystone supports Fernet tokens which have payload encrypted by AES 128
> bit
> > key.
> > Although AES 128 bit key looks secure enough for most OpenStack
> deployments
> > [2], one may would like to rotate encryption keys according to already
> > proposed 3 step key rotation scheme (in case keys get compromised or
> > organizational security policy requirement).
> > Also creation and initial AES key distribution between Keystone HA nodes
> > could be challenging and this complexity could be handled by Fuel
> deployment
> > tool.
> >
> > In regards to Fuel, I'd like to:
> > 1. Add support for initializing Keystone's Fernet signing keys to Fuel
> > during OpenStack cluster (Keystone) deployment
> > 2. Add support for rotating Keystone's Fernet signing keys to Fuel
> according
> > to some automatic schedule (for example one rotation per week) or
> triggered
> > from the Fuel web user interface or through Fuel API.
> >
> > These two capabilities will be implemented in Fuel by related blueprint
> [1].
> >
> > [1] https://blueprints.launchpad.net/fuel/+spec/fernet-tokens-support
> > [2] http://www.eetimes.com/document.asp?doc_id=1279619
> >
> >
> > Regards,
> >
> > --
> > Adam Heczko
> > Security Engineer @ Mirantis Inc.
> >
> >
> __________________________________________________________________________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
>
>
> --
> Davanum Srinivas :: https://twitter.com/dims
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150716/b883bb25/attachment.html>

More information about the OpenStack-dev mailing list