Hi Akhil, Right now oslo.config is capable of loading configuration values from files (default), environment variables (env driver), command line arguments (default), remote files (remote_file driver) and castellan (castellan driver). This gives you enough flexibility to come up with a hardening strategy according to the use case. If you have any questions on how to use each driver I'd be glad to answer as I wrote most of them. Best regards, Moisés Guimarães Em ter, 9 de abr de 2019 às 14:43, Jeremy Stanley <fungi@yuggoth.org> escreveu:
On 2019-04-09 08:21:26 +0000 (+0000), Akhil Jayakumar (akjayaku) wrote:
Is there a way we can encrypt passwords in local.conf?
If so could you please point me to the reference?
[I've tagged the Oslo team and Security SIG in the subject of my reply to bring this to the attention of those audiences as well.]
The problem with actually encrypting shared secrets in the configuration directly is that whatever reads that config needs access to the corresponding decryption key, so you haven't solved the problem only created a new secret you also need to encrypt... and it's turtles all the way down from there.
The oslo.config module supports pointing at external configuration sources through the use of backend drivers[1]. One such optional driver is castellan[2] which is designed for (among other things) retrieving values from secure data storage applications like Barbican and Vault. The original specification[3] for this implementation in the Queens release a year ago describes the use case fairly well, as does this poster presentation[4] from EuroPython last year. Hope this helps!
[1] https://docs.openstack.org/oslo.config/latest/reference/drivers.html [2] https://docs.openstack.org/castellan/latest/ [3] https://specs.openstack.org/openstack/oslo-specs/specs/queens/oslo-config-dr... [4] https://ep2018.europython.eu/media/conference/slides/mastering-applicationse... -- Jeremy Stanley
-- Thanks, Moisés Guimarães