[openstack-dev] [Keystone][Fernet] HA SQL backend for Fernet keys

Fox, Kevin M Kevin.Fox at pnnl.gov
Mon Jul 27 18:41:02 UTC 2015

Barbican depends on Keystone though for authentication. Its not a silver bullet here.

From: Dolph Mathews [dolph.mathews at gmail.com]
Sent: Monday, July 27, 2015 10:53 AM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [Keystone][Fernet] HA SQL backend for Fernet keys

Although using a node's *local* filesystem requires external configuration management to manage the distribution of rotated keys, it's always available, easy to secure, and can be updated atomically per node. Note that Fernet's rotation strategy uses a staged key that can be distributed to all nodes in advance of it being used to create new tokens.

Also be aware that you wouldn't want to store encryption keys in plaintext in a shared database, so you must introduce an additional layer of complexity to solve that problem.

Barbican seems like much more logical next-step beyond the local filesystem, as it shifts the burden onto a system explicitly designed to handle this issue (albeit in a multitenant environment).

On Mon, Jul 27, 2015 at 12:01 PM, Alexander Makarov <amakarov at mirantis.com<mailto:amakarov at mirantis.com>> wrote:

I'd like to discuss pro's and contra's of having Fernet encryption keys stored in a database backend.
The idea itself emerged during discussion about synchronizing rotated keys in HA environment.
Now Fernet keys are stored in the filesystem that has some availability issues in unstable cluster.
OTOH, making SQL highly available is considered easier than that for a filesystem.

Kind Regards,
Alexander Makarov,
Senior Software Developer,

Mirantis, Inc.
35b/3, Vorontsovskaya St., 109147, Moscow, Russia

Tel.: +7 (495) 640-49-04<tel:%2B7%20%28495%29%20640-49-04>
Tel.: +7 (926) 204-50-60<tel:%2B7%20%28926%29%20204-50-60>


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe<http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150727/3adbafbb/attachment.html>

More information about the OpenStack-dev mailing list