[openstack-dev] [oslo.config] Encrypt the sensitive options
Darren J Moffat
Darren.Moffat at Oracle.COM
Tue Apr 26 15:59:09 UTC 2016
On 04/26/16 16:33, Daniel P. Berrange wrote:
> There is already barbican which could potentially fill that role:
>
> "Barbican is a REST API designed for the secure storage, provisioning
> and management of secrets such as passwords, encryption keys and X.509
> Certificates." [1]
>
> On startup a process, such as nova, could contact barbican to retrieve
> the credentials it should use for authenticating with each other service
> that requires a password.
Where do the creds that nova would use to authenticate to barbican come
from in that model ?
> As explained earlier, passwords in text files is awful for both security
> and managability at a large scale.
Agreed. Use of client side certs with TLS where the client side cert
pathname is what goes into the configuration file can help - that way
the config file has no credentials in it only pointers to them. Though
management of certs has its own problems but again Barbican can help here.
> File permissions alone cannot solve that problem.
Agreed, but the combination of file permissions and split configuration
can be a first step in that direction especially if the default
configuration files are "split" rather than requiring the admin to know
about that feature and to do it. It may also help if comments about this
were placed in the default configuration files to encourage the behaviour.
--
Darren J Moffat
More information about the OpenStack-dev
mailing list