Makes sense. So what is the recommended upstream approach for securely storing user passwords in keystone ? Is that what is being described here ? https://docs.openstack.org/keystone/pike/admin/identity-credential-encryption.html Greg. From: Juan Antonio Osorio Robles <jaosorior at redhat.com> Reply-To: "openstack-dev at lists.openstack.org" <openstack-dev at lists.openstack.org> Date: Wednesday, August 29, 2018 at 2:00 PM To: "openstack-dev at lists.openstack.org" <openstack-dev at lists.openstack.org> Subject: Re: [openstack-dev] [keystone] [barbican] Keystone's use of Barbican ? This is not the case. Barbican requires users and systems that use it to use keystone for authentication. So keystone can't use Barbican for this. Chicken and egg problem. On 08/29/2018 08:08 PM, Waines, Greg wrote: My understanding is that Keystone can be configured to use Barbican to securely store user passwords. Is this true ? If yes, is this the standard / recommended / upstream way to securely store Keystone user passwords ? If yes, I can’t find any descriptions of this is configured ? Can someone provide some pointers ? Greg. __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe<mailto:OpenStack-dev-request at lists.openstack.org?subject:unsubscribe> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180829/306495a7/attachment.html>