[openstack-dev] [infra][security] Encryption in Zuul v3

Clint Byrum clint at fewbar.com
Tue Mar 21 19:34:20 UTC 2017

Excerpts from Matthieu Huin's message of 2017-03-21 18:43:49 +0100:
> Hello James,
> Thanks for opening the discussion on this topic. I'd like to mention that a
> very common type of secrets that are used in Continuous Deployments
> scenarios are SSH keys. Correct me if I am wrong, but PKCS#1 wouldn't
> qualify if standard keys were to be stored.

You could store a key, just not a 4096 bit key.

PKCS#1 has a header/padding of something like 12 bytes, and then you
need a hash in there, so for SHA1 that's 160 bits or 20 bytes, SHA256
is 256 bites so 32 bytes. So with a 4096 bit (512 bytes) Zuul key, you
can encrypt 480 bytes of plaintext, or 468 with sha256. That's enough
for a 3072 bit (384 bytes) SSH key. An uncommon size, but RSA says'
they're good past 2030:


It's a little cramped, but hey, this is the age of tiny houses, maybe we
should make do with what we have.

More information about the OpenStack-dev mailing list