[oslo][security-sig] How to protect plain-text passwords in local.conf
Moises Guimaraes de Medeiros
moguimar at redhat.com
Tue Apr 9 13:17:31 UTC 2019
Right now oslo.config is capable of loading configuration values from files
(default), environment variables (env driver), command line arguments
(default), remote files (remote_file driver) and castellan (castellan
This gives you enough flexibility to come up with a hardening strategy
according to the use case. If you have any questions on how to use each
driver I'd be glad to answer as I wrote most of them.
Em ter, 9 de abr de 2019 às 14:43, Jeremy Stanley <fungi at yuggoth.org>
> On 2019-04-09 08:21:26 +0000 (+0000), Akhil Jayakumar (akjayaku) wrote:
> > Is there a way we can encrypt passwords in local.conf?
> > If so could you please point me to the reference?
> [I've tagged the Oslo team and Security SIG in the subject of my
> reply to bring this to the attention of those audiences as well.]
> The problem with actually encrypting shared secrets in the
> configuration directly is that whatever reads that config needs
> access to the corresponding decryption key, so you haven't solved
> the problem only created a new secret you also need to encrypt...
> and it's turtles all the way down from there.
> The oslo.config module supports pointing at external configuration
> sources through the use of backend drivers. One such optional
> driver is castellan which is designed for (among other things)
> retrieving values from secure data storage applications like
> Barbican and Vault. The original specification for this
> implementation in the Queens release a year ago describes the use
> case fairly well, as does this poster presentation from
> EuroPython last year. Hope this helps!
>  https://docs.openstack.org/oslo.config/latest/reference/drivers.html
>  https://docs.openstack.org/castellan/latest/
> Jeremy Stanley
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openstack-discuss