It sounds like they might be – but the complaint is perhaps that once kolla-ansible generates the config, that config has the passwords in plain text (i.e. if you SSH into the machine, docker exec into the container, the /etc/nova/nova.conf has the keys built from the ansible-vault password.yml) I do not think there is a way around this, nor do I think there needs to be – if the passwords are only in “plain text” in the config on the container only accessibly by root, then privilege escalation to root is the vulnerability you should be protecting against anyway – even if you somehow worked out a way to have secrets separate in a way that wasn’t just a big house of cards, if there’s a privilege-escalation to root on your host nodes, you’re going to have massive problems, and some configuration passwords are going to be the least of them. @elnazcloud@gmail.com<mailto:elnazcloud@gmail.com> can you confirm you’re using the ansible-vault password encryption for your passwords.yml? Kolla-ansible has supported it for like 8 years: https://opendev.org/openstack/kolla-ansible/commit/684194ff9dbd442a93278bec2... Here is the link to the ansible documentation: https://docs.ansible.com/ansible/latest/vault_guide/vault_encrypting_content... Let us know if you need more information. Kind Regards, Joel McLean – Micron21 Pty Ltd From: Satish Patel <satish.txt@gmail.com> Sent: Tuesday, 29 July 2025 1:29 PM To: elnazcloud@gmail.com Cc: openstack-discuss@lists.openstack.org Subject: Re: [kolla][barbican] Secure password management in Kolla-Ansible using Castellan Why not using Ansible-Vault to secure passwords? On Thu, Jul 24, 2025 at 12:57 PM <elnazcloud@gmail.com<mailto:elnazcloud@gmail.com>> wrote: Hi all, I have deployed an OpenStack environment using Kolla Ansible. I'm looking for a way to avoid storing service passwords (e.g., database, keystone, etc.) in clear text inside the configuration files. Is there any recommended method to integrate Barbican and Castellan so that services like Nova, Keystone, or Cinder can fetch secrets securely during runtime using oslo.config? If not natively supported, are there best practices or known workarounds for achieving this securely in a Kolla-based deployment? Thanks in advance!

On 2025-07-29 07:20:39 -0000 (-0000), elnazcloud@gmail.com wrote: [...]

However, our concern is that—even though the secrets are encrypted at deployment time—they still end up as plaintext in the final config files inside the containers (e.g., nova.conf). [...]

I think oslo.config's remote_file driver was intended for this: https://docs.openstack.org/oslo.config/latest/configuration/options.html Of course you still need the backend securely configured with per-service client certs authorized for the specific blobs, and this only works for services relying on oslo.config. I'm not sure if there's a documented walkthrough for this sort of deployment, nor whether Kolla has any integrated support for setting it up. I've added ops and security-sig to the list of subject tags in case it bubbles this up to the attention of anyone in those circles who knows the answer. -- Jeremy Stanley

On 2025-07-29 21:27:51 +0100 (+0100), Sean Mooney wrote: [...]

`in general if someone can acess the host filesystem and read the nova.conf your security evnolope has already been breached. [...]

It's not uncommon in naïve security policies that are primarily concerned with "data at rest" to require all sensitive information on disk be encrypted. Their authors are typically focused on what happens if a decommissioned hard drive or stray backup tape falls into the wrong hands. As you note, there's a substantial Catch-22 here, in that the client keys for accessing the remote service represent a similar risk unless kept isolated, e.g. in an HSM. What this fails to address, though, is that the plaintext form of passwords and keys will still be present in process memory on running systems, and in many cases these systems are configured with swap partitions or files which are themselves not encrypted, so it's still possible for the vulnerable secrets to end up on disk if they get paged out for any reason. Encrypted swap can help here, but at that point why not just encrypt the entire disk and be done with it? Measures to fully isolate secrets from storage on a system that uses them are rarely worth the operational costs. As a security professional, when presented with requirements like these my initial recommendation is to think hard about what exactly you're protecting and from whom. Essentially, "define your risks." To make sense, the cost of the solution should not exceed its value. If you can't define the value of a security measure, it probably has none in actuality. If you can't estimate the cost and likelihood of a risk being exploited, then it's likely not worth mitigating. If you can't answer these questions, then first find someone who can. -- Jeremy Stanley

Just bringing my thoughts to this list; The OpenStack Summit Talk (https://youtu.be/6cjepMGQfrM?t=883) shows a proof-of-concept where they're able to use Barbican to protect glance.conf ( or any-other.conf ) passwords; but someone ask the winning question (I have linked to the exact time) which is "How does one then protect the Barbican or Vault?" The answer given ( I believe by Tin Lam?) pretty much hits the nail on the head - this leads to a chicken-and-egg issue - since Barbican or Vault must be accessible to the hosts/services which have the configuration files, then anyone who can see the configuration files' contents can then take the next logical step and ask the secret provider for the secret, using whatever privileges that host/service already has to request the secret. In their example, they suggest that the Barbican's credentials could be kept out of the configuration file by using environment variables, but that's just having the unencrypted credential in a different place; a privileged user on that host/service can access the service's environment variables, then request the key from Barbican. In the summit talk, they only go through one risk scenario which is what they are trying to address; which is when a developer reaches out to a vendor for support they might inadvertently send the entire configuration file, passwords and all, and that is the risk they're looking to mitigate. If you're using Kolla-ansible, your configuration files already don't have the passwords, as they're typically configuration overrides, supplementing the kolla-ansible j2 templates - unless you're pulling the fully compiled configuration files out of the running containers, and sending those. At the start of the Summit, they talk about some other avenues they did _not_ try because it introduced significant complexity; one of which was to encrypt the configuration files, or partially encrypt the contents of the configuration files so that the credentials were not stored in plain text at rest. This would have mitigated AT&T's requirement of developers sending full configuration files to vendors, but is less cloud-native and proposes new technological challenges such as what to do when you need to rotate those credentials. It may or may not afford you greater security than using Barbican or Vault, as at some point the service accessing that configuration file needs the keys to decrypt the contents of the configuration file; so we're back to square one - a user with privileged access to read the configuration files presumably has enough privileged access to access to configuration file's decryption key. The trade off is a non-linear scale of "Complexity and Greater Security <--------> Convenience but Lesser Security". Everyone's risk appetite for where they land on that scale is different, and a mature organisation will be able to shift around on that scale as they become more competent in overcoming complexity, and can then benefit from the greater security. So, depending on your risk profile, and what risks you are trying to mitigate, using Barbican or Hashicorp Vault to store secrets, and have the services collect these secrets as needed might not address your particular risks. Presuming you follow a Hashicorp Vault service, or a similar service, to protect your keys, and you dialled up the security using ACLs and Policies, you could greatly increase the secrecy of your credentials, but at a significant increase to your risk of service availability/interruption (i.e. What if the Vault goes away/down? What if you lose the trust relationship with your vault/policy - how do you recover?). If the increased secrecy mitigates some significant risks, that's great - you just want to make sure that you aren't introducing new, potentially far more impactful risks to your setup. One way to go very hard to the "Complexity and Greater Security" scale, you could consider re-building and changing every kolla container's runtime user/group and privileges, so that even using docker privilege escalation tricks can't access the kolla service container, but this requires a lot of tooling, and has far reaching consequences for things like troubleshooting and applying updates. I would encourage anyone who is looking to enhance their security position to do a genuine threat and risk assessment - really put down on paper (or a spreadsheet, or your risk analysis tooling if you're lucky enough to have some) to determine whether or not the steps you're taking to address a security concern have merit, or whether the effort could be more effectively used elsewhere. Kind Regards, Joel McLean – Micron21 Pty Ltd -----Original Message----- From: elnazcloud@gmail.com <elnazcloud@gmail.com> Sent: Tuesday, 29 July 2025 5:21 PM To: openstack-discuss@lists.openstack.org Subject: RE: [kolla][barbican] Secure password management in Kolla-Ansible using Castellan Yes, we are using Ansible Vault to encrypt our passwords.yml, and all sensitive values are stored encrypted in that file. However, our concern is that—even though the secrets are encrypted at deployment time—they still end up as plaintext in the final config files inside the containers (e.g., nova.conf). As highlighted in the OpenStack Summit talk, there's an initiative to improve secret handling by avoiding storing passwords directly in service configuration files, even on disk. Instead, passwords would be referenced or pulled dynamically from a secure external source, such as Barbican or HashiCorp Vault, via Castellan integration. So while encrypting passwords.yml with Ansible Vault is a good first step, we're interested in going further — specifically, preventing plaintext secrets from appearing in config files altogether, as part of a more secure design. Thanks in advance!

Hello, everyone. I was reading all of the arguments and consolidating my thoughts based on the ones that were presented. Here it goes my humble contribution. Answering the last question if application credentials meet this need, I'd say potentially YES. Considering all the features that AppCreds (for short) bring to the game, such as: 1. Enforcing Least Privilege. 2. Providing Revocation and Rotation. 3. Enabling Improved Auditability. 4. And addressing Service Authentication. I'd say it helps a lot in this sense. Remembering that AppCreds are an authentication mechanism, not a secrets storage solution... In this topic (protection of secrets), the argument that the privilege escalation to root on a specific system/host undermines the need to protect sensitive data, such as secrets, is absolutely obsolete. We have to have a strong way to protect the keys that encrypt the secrets to avoid that an attacker who successfully escalates privileges to root on an owned system is able to access such sensitive data, and potentially compromise other systems. Just to mention two de-facto standards that touch this point, we have NIST Special Publication 800-53 [1] and ENISA NIS 2 directive [2]. Defense in Depth must always come to the discussion no matter what. Best regards, Mauricio [1] https://csrc.nist.gov/pubs/sp/800/53/r5/final [2] https://www.enisa.europa.eu/publications/nis2-technical-implementation-guida...