On 2019-04-09 08:21:26 +0000 (+0000), Akhil Jayakumar (akjayaku) wrote: > Is there a way we can encrypt passwords in local.conf? > > If so could you please point me to the reference? [I've tagged the Oslo team and Security SIG in the subject of my reply to bring this to the attention of those audiences as well.] The problem with actually encrypting shared secrets in the configuration directly is that whatever reads that config needs access to the corresponding decryption key, so you haven't solved the problem only created a new secret you also need to encrypt... and it's turtles all the way down from there. The oslo.config module supports pointing at external configuration sources through the use of backend drivers[1]. One such optional driver is castellan[2] which is designed for (among other things) retrieving values from secure data storage applications like Barbican and Vault. The original specification[3] for this implementation in the Queens release a year ago describes the use case fairly well, as does this poster presentation[4] from EuroPython last year. Hope this helps! [1] https://docs.openstack.org/oslo.config/latest/reference/drivers.html [2] https://docs.openstack.org/castellan/latest/ [3] https://specs.openstack.org/openstack/oslo-specs/specs/queens/oslo-config-drivers.html [4] https://ep2018.europython.eu/media/conference/slides/mastering-applicationservice-configuration.pdf -- Jeremy Stanley -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 963 bytes Desc: not available URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190409/6ac5cc85/attachment.sig>