[openstack-dev] [Heat]Heat template parameters encryption

Zane Bitter zbitter at redhat.com
Wed Jun 4 23:19:05 UTC 2014

On 04/06/14 15:58, Vijendar Komalla wrote:
> Hi Devs,
> I have submitted an WIP review (https://review.openstack.org/#/c/97900/)
> for Heat parameters encryption blueprint
> https://blueprints.launchpad.net/heat/+spec/encrypt-hidden-parameters
> This quick and dirty implementation encrypts all the parameters on on
> Stack 'store' and decrypts on on Stack 'load'.
> Following are couple of improvements I am thinking about;
> 1. Instead of encrypting individual parameters, on Stack 'store' encrypt
> all the parameters together as a dictionary  [something like
> crypt.encrypt(json.dumps(param_dictionary))]

Yeah, definitely don't encrypt them individually.

> 2. Just encrypt parameters that were marked as 'hidden', instead of
> encrypting all parameters
> I would like to hear your feedback/suggestions.

Just as a heads-up, we will soon need to store the properties of 
resources too, at which point parameters become the least of our 
problems. (In fact, in theory we wouldn't even need to store 
parameters... and probably by the time convergence is completely 
implemented, we won't.) Which is to say that there's almost certainly no 
point in discriminating between hidden and non-hidden parameters.

I'll refrain from commenting on whether the extra security this affords 
is worth the giant pain it causes in debugging, except to say that IMO 
there should be a config option to disable the feature (and if it's 
enabled by default, it should probably be disabled by default in e.g. 


More information about the OpenStack-dev mailing list