Open Stack

> From: Jagga Soorma [mailto:jagga13 at gmail.com] 
> Sent: 29 March 2016 04:07
> To: openstack
> Subject: [Openstack] Key management
>
> Hey Guys,
>
> I have a new openstack environment and one thing I have noticed is that my keys are all over 
> the place now which got me thinking what others might be doing for key management?  
> Just curious if there is a better more central/secure way to store my keys.
>
> Thanks!

Hi Jagger,

In it's default configuration, OpenStack doesn't have a lot of 'keys' in the traditional cryptographic
sense. Although it certainly has a lot of sensitive credentials sprayed about the place in flat files.

To address key management specifically, you should take a look at the Barbican project[1], this is
designed to make handling cryptographic keys (and other sensitive primitives) safe and easy to
do within OpenStack.

As for the rest of OpenStack, it's really down to your distribution to appropriately secure system files.
Many distributors will use a combination of mandatory and discretionary access controls (MAC & DAC)
to limit access to on-disk credentials. Typically managing their lifetime through some deployment
configuration tool such as Ansible, Salt, Chef, Puppet etc. 

Personally I've been experimenting with some more real-time management of system level credentials
using etcd. However that's early days.

-Rob

[1] https://wiki.openstack.org/wiki/Barbican