[openstack-dev] [oslo.config] Encrypt the sensitive options

Darren J Moffat Darren.Moffat at Oracle.COM
Tue Apr 26 15:59:09 UTC 2016

On 04/26/16 16:33, Daniel P. Berrange wrote:
> There is already barbican which could potentially fill that role:
>    "Barbican is a REST API designed for the secure storage, provisioning
>     and management of secrets such as passwords, encryption keys and X.509
>     Certificates." [1]
> On startup a process, such as nova, could contact barbican to retrieve
> the credentials it should use for authenticating with each other service
> that requires a password.

Where do the creds that nova would use to authenticate to barbican come 
from in that model ?

> As explained earlier, passwords in text files is awful for both security
> and managability at a large scale.

Agreed. Use of client side certs with TLS where the client side cert 
pathname is what goes into the configuration file can help - that way 
the config file has no credentials in it only pointers to them.  Though 
management of certs has its own problems but again Barbican can help here.

> File permissions alone cannot solve that problem.

Agreed, but the combination of file permissions and split configuration 
can be a first step in that direction especially if the default 
configuration files are "split" rather than requiring the admin to know 
about that feature and to do it. It may also help if comments about this 
were placed in the default configuration files to encourage the behaviour.

Darren J Moffat

More information about the OpenStack-dev mailing list