<div dir="ltr"><div>As we decided at meeting, we wouldn't keep our own implementations of security stuff, we'll use Barbican as single entry point of delivering secrets.</div>I hadn't talked with Barbican team, but since oslo-incubator will (someday) release oslo.crypto lib for all projects, i think that adding implementation of new RFC to crypto is a good idea, it would be easy to re-use it in barbican later and then i will use barbican functionality in trove for security improvement.<div>
<br></div><div><p dir="ltr" style="font-family:arial,sans-serif;font-size:13px;line-height:1.15;margin-top:0pt;margin-bottom:0pt;text-align:justify"><span style="vertical-align:baseline;font-size:15px;background-color:transparent;font-family:Arial">Best regards,</span></p>
<p dir="ltr" style="font-family:arial,sans-serif;font-size:13px;line-height:1.14;margin-top:0pt;margin-bottom:0pt;text-align:justify"><span style="vertical-align:baseline;font-size:15px;background-color:transparent;font-family:Arial">Denis Makogon</span></p>
<p dir="ltr" style="font-family:arial,sans-serif;font-size:13px;line-height:1.14;margin-top:0pt;margin-bottom:0pt;text-align:justify"><span style="vertical-align:baseline;font-size:15px;background-color:transparent;font-family:Arial">Mirantis, Inc.</span></p>
<p dir="ltr" style="font-family:arial,sans-serif;font-size:13px;line-height:1.14;margin-top:0pt;margin-bottom:0pt;text-align:justify"><span style="vertical-align:baseline;font-size:15px;background-color:transparent;font-family:Arial">Kharkov, Ukraine</span></p>
<br style="font-family:arial,sans-serif;font-size:13px"><span style="background-color:transparent;vertical-align:baseline;font-size:15px;font-family:Arial"></span><p dir="ltr" style="font-family:arial,sans-serif;font-size:13px;line-height:1.14;margin-top:0pt;margin-bottom:0pt;text-align:justify">
<a href="http://www.mirantis.com/" target="_blank" style="text-decoration:none"><span style="font-size:15px;font-family:Arial;background-color:transparent;text-decoration:underline;vertical-align:baseline">www.mirantis.com</span></a></p>
<p dir="ltr" style="font-family:arial,sans-serif;font-size:13px;line-height:1.14;margin-top:0pt;margin-bottom:0pt;text-align:justify"><a href="http://www.mirantis.ru/" target="_blank" style="text-decoration:none"><span style="font-size:15px;font-family:Arial;background-color:transparent;text-decoration:underline;vertical-align:baseline">www.mirantis.ru</span></a></p>
<p dir="ltr" style="font-family:arial,sans-serif;font-size:13px;line-height:1.15;margin-top:0pt;margin-bottom:0pt;text-align:justify"><span style="font-size:15px;font-family:Arial;color:rgb(17,85,204);background-color:transparent;text-decoration:underline;vertical-align:baseline"><a href="mailto:dmakogon@mirantis.com" target="_blank">dmakogon@mirantis.com</a></span></p>
</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2014-02-11 22:58 GMT+02:00 Michael Basnight <span dir="ltr"><<a href="mailto:mbasnight@gmail.com" target="_blank">mbasnight@gmail.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">Denis Makogon <<a href="mailto:dmakogon@mirantis.com">dmakogon@mirantis.com</a>> writes:<br>
<br>
> š š Goodday, OpenStack D÷aaS community.<br>
><br>
><br>
> š š I'd like to start conversation about guestagent security issue related<br>
> to backup/restore process. Trove guestagent service uses AES with 256 bit<br>
> key (in CBC mode) [1] to encrypt backups which are stored at predefined<br>
> Swift container.<br>
><br>
> š š As you can see, password is defined in config file [2]. And here comes<br>
> problem, this password is used for all tenants/projects that use Trove - it<br>
> is a security issue. I would like to suggest Key derivation function [3]<br>
> based on static attributes specific for each tenant/project (tenant_id).<br>
> KDF would be based upon python implementation of PBKDF2 [4]. Implementation<br>
> can be seen here [5].<br>
<br>
</div>I do not want to see us writing our own crypto code in Trove. Id much<br>
rather us use barbican for this, assuming it fits the bill. Lets do some<br>
research on barbican before we go write this all.<br>
<div class=""><br>
><br>
> š š Also i'm looking forward to give user an ability to pass password for<br>
> KDF that would deliver key for backup/restore encryption/decryption, if<br>
> ingress password (from user) will be empty, guest will use static<br>
> attributes of tenant (tenant_id).<br>
><br>
> To allow backward compatibility, python-troveclient should be able to pass<br>
> old password [1] to guestagent as one of parameters on restore call.<br>
><br>
> Blueprint already have been registered in Trove launchpad space, [6].<br>
><br>
> I also foresee porting this feature to oslo-crypt, as part of security<br>
> framework (oslo.crypto) extensions.<br>
<br>
</div>Again, id rather see us use barbican for this instead of creating oslo-crypt.<br>
<div class=""><br>
><br>
> Thoughts ?<br>
><br>
> [1]<br>
> <a href="https://github.com/openstack/trove/blob/master/trove/guestagent/strategies/backup/base.py#L113-L116" target="_blank">https://github.com/openstack/trove/blob/master/trove/guestagent/strategies/backup/base.py#L113-L116</a><br>

> [2]<br>
> <a href="https://github.com/openstack/trove/blob/master/etc/trove/trove-guestagent.conf.sample#L69" target="_blank">https://github.com/openstack/trove/blob/master/etc/trove/trove-guestagent.conf.sample#L69</a><br>
> [3] <a href="http://en.wikipedia.org/wiki/Key_derivation_function" target="_blank">http://en.wikipedia.org/wiki/Key_derivation_function</a><br>
> [4] <a href="http://en.wikipedia.org/wiki/PBKDF2" target="_blank">http://en.wikipedia.org/wiki/PBKDF2</a><br>
> [5] <a href="https://gist.github.com/denismakogon/8823279" target="_blank">https://gist.github.com/denismakogon/8823279</a><br>
> [6] <a href="https://blueprints.launchpad.net/trove/+spec/backup-encryption" target="_blank">https://blueprints.launchpad.net/trove/+spec/backup-encryption</a><br>
><br>
> Best regards,<br>
> Denis Makogon<br>
> Mirantis, Inc.<br>
> Kharkov, Ukraine<br>
> <a href="http://www.mirantis.com" target="_blank">www.mirantis.com</a><br>
> <a href="http://www.mirantis.ru" target="_blank">www.mirantis.ru</a><br>
> <a href="mailto:dmakogon@mirantis.com">dmakogon@mirantis.com</a><br>
</div>> _______________________________________________<br>
> OpenStack-dev mailing list<br>
> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>