[oslo][security-sig] How to protect plain-text passwords in local.conf

Jeremy Stanley fungi at yuggoth.org
Tue Apr 9 12:42:11 UTC 2019

On 2019-04-09 08:21:26 +0000 (+0000), Akhil Jayakumar (akjayaku) wrote:
> Is there a way we can encrypt passwords in local.conf?
> If so could you please point me to the reference?

[I've tagged the Oslo team and Security SIG in the subject of my
reply to bring this to the attention of those audiences as well.]

The problem with actually encrypting shared secrets in the
configuration directly is that whatever reads that config needs
access to the corresponding decryption key, so you haven't solved
the problem only created a new secret you also need to encrypt...
and it's turtles all the way down from there.

The oslo.config module supports pointing at external configuration
sources through the use of backend drivers[1]. One such optional
driver is castellan[2] which is designed for (among other things)
retrieving values from secure data storage applications like
Barbican and Vault. The original specification[3] for this
implementation in the Queens release a year ago describes the use
case fairly well, as does this poster presentation[4] from
EuroPython last year. Hope this helps!

[1] https://docs.openstack.org/oslo.config/latest/reference/drivers.html
[2] https://docs.openstack.org/castellan/latest/
[3] https://specs.openstack.org/openstack/oslo-specs/specs/queens/oslo-config-drivers.html
[4] https://ep2018.europython.eu/media/conference/slides/mastering-applicationservice-configuration.pdf
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190409/6ac5cc85/attachment.sig>

More information about the openstack-discuss mailing list