[openstack-dev] [infra][security] Encryption in Zuul v3

James E. Blair corvus at inaugust.com
Tue Mar 21 20:16:57 UTC 2017


Clint Byrum <clint at fewbar.com> writes:

> Excerpts from Matthieu Huin's message of 2017-03-21 18:43:49 +0100:
>> Hello James,
>> 
>> Thanks for opening the discussion on this topic. I'd like to mention that a
>> very common type of secrets that are used in Continuous Deployments
>> scenarios are SSH keys. Correct me if I am wrong, but PKCS#1 wouldn't
>> qualify if standard keys were to be stored.
>
> You could store a key, just not a 4096 bit key.
>
> PKCS#1 has a header/padding of something like 12 bytes, and then you
> need a hash in there, so for SHA1 that's 160 bits or 20 bytes, SHA256
> is 256 bites so 32 bytes. So with a 4096 bit (512 bytes) Zuul key, you
> can encrypt 480 bytes of plaintext, or 468 with sha256. That's enough
> for a 3072 bit (384 bytes) SSH key. An uncommon size, but RSA says'
> they're good past 2030:
>
> https://www.emc.com/emc-plus/rsa-labs/historical/twirl-and-rsa-key-size.htm
>
> It's a little cramped, but hey, this is the age of tiny houses, maybe we
> should make do with what we have.

There is that option, the option of adding another encryption system
capable of storing larger keys, or this third option:

Because we wanted continuous deployment to be a first-class feature in
Zuul v3, we added this section of the spec which specifies that Zuul
should have a number of keys automatically available for use in a CD
system:

  http://specs.openstack.org/openstack-infra/infra-specs/specs/zuulv3.html#continuous-deployment

We haven't started implementing that yet, and it probably needs a little
bit of updating before we do, but I think the fundamental idea is still
sound and could be accomplished.

-Jim



More information about the OpenStack-dev mailing list