Open Stack

The only way to solve problems like this is through a dedicated unit to
store a secret like a TPM on each server, and even that won't help if
someone can log in to the server as a privileged user and use the
dedicated unit to generate an access key. Using Barbican isn't the total
solution, as to allow the machine to retrieve a secret from Barbican
requires that the machine have a secret it can use to access Barbican.
GSSAPI doesn't help, as it requires a token, not significantly different
than a password, to be available or embedded in the program to start the
exchange. However, it's probably best to delegate the problem to
Barbican and store the Cinder secrets there. This would leave it up to
Barbican to support hardware plugins to securely store secrets, as well
as leaving it as an exercise for the reader to properly protect access
to the hardware device.  Otherwise, every service on each server is
going to have to implement its own mechanism, and they will all be
different.

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1158328

Title:
  passwords in config files stored in plaintext

Status in Cinder:
  Confirmed
Status in OpenStack Compute (Nova):
  Won't Fix

Bug description:
  The credentials for database conenctions and the keystone authtoken
  are stored in plaintext within the nova.conf and apipaste config
  files.

  These values should be encrypted.  A scheme similar to /etc/shadow
  would be great.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1158328/+subscriptions