[openstack-dev] [Fuel] Add support for Keystone's Fernet encryption keys management: initialization, rotation

Davanum Srinivas davanum at gmail.com
Thu Jul 16 15:29:44 UTC 2015


Adam,

For 1, do we let user configure max_active_keys? what's the default?

Please note that there is a risk that an active token may be
invalidated if Fernet key rotation removes keys early. So that's a
potential issue to keep in mind (relation of token expiry to period of
key rotation).

thanks,
dims


On Thu, Jul 16, 2015 at 10:22 AM, Adam Heczko <aheczko at mirantis.com> wrote:
> Hi Folks,
> Keystone supports Fernet tokens which have payload encrypted by AES 128 bit
> key.
> Although AES 128 bit key looks secure enough for most OpenStack deployments
> [2], one may would like to rotate encryption keys according to already
> proposed 3 step key rotation scheme (in case keys get compromised or
> organizational security policy requirement).
> Also creation and initial AES key distribution between Keystone HA nodes
> could be challenging and this complexity could be handled by Fuel deployment
> tool.
>
> In regards to Fuel, I'd like to:
> 1. Add support for initializing Keystone's Fernet signing keys to Fuel
> during OpenStack cluster (Keystone) deployment
> 2. Add support for rotating Keystone's Fernet signing keys to Fuel according
> to some automatic schedule (for example one rotation per week) or triggered
> from the Fuel web user interface or through Fuel API.
>
> These two capabilities will be implemented in Fuel by related blueprint [1].
>
> [1] https://blueprints.launchpad.net/fuel/+spec/fernet-tokens-support
> [2] http://www.eetimes.com/document.asp?doc_id=1279619
>
>
> Regards,
>
> --
> Adam Heczko
> Security Engineer @ Mirantis Inc.
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 
Davanum Srinivas :: https://twitter.com/dims



More information about the OpenStack-dev mailing list