Open Stack

On 30/08/18 6:29 AM, Lance Bragstad wrote:
>
>     Is that what is being described here ? 
>     https://docs.openstack.org/keystone/pike/admin/identity-credential-encryption.html
>
>
> This is a separate mechanism for storing secrets, not necessarily
> passwords (although I agree the term credentials automatically makes
> people assume passwords). This is used if consuming keystone's native
> MFA implementation. For example, storing a shared secret between the
> user and keystone that is provided as a additional authentication
> method along with a username and password combination.
>  

Is there any interest or plans to potentially allow Keystone's
credential store to use Barbican as a storage provider? Encryption
already is better than nothing, but if you already have (or will be
deploying) a proper secret store with a hardware backend (or at least
hardware stored encryption keys) then it might make sense to throw that
in Barbican.

Or is this also too much of a chicken/egg problem? How safe is it to
rely on Barbican availability for MFA secrets and auth?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180830/19a8e6a3/attachment.html>