fuel-ccp

Fernet keys should not be hardcoded

Bug #1651392 reported by Boris Bobrov on 2016-12-20

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	fuel-ccp	Fix Committed	High	Dmitry Klenov

Bug Description

Fernet keys are now hardcoded like this: https://github.com/openstack/fuel-ccp-keystone/blob/master/service/files/defaults.yaml#L21 . This is bad because it generally compromises security. Instead, the tokens should be generated for each deployment.

Boris Bobrov (bbobrov) on 2016-12-20

information type:

Private Security → Public Security

Revision history for this message

Adam Heczko (aheczko-mirantis) wrote on 2016-12-20:

Basing on various customers input we should consider more generic security requirements:

1. Keys, passwords and secrets should never be tied to the Fuel CCP source code
2. Fuel CCP or k8s is able to utilise a HSM to store secrets

However Fuel CCP, Keystone nor Kubernetes don't use HSM currently. Reasonable solution is to propose a compensating control and store secrets encrypted on local disk. To further protect secrets from compromisation utilize multiple encryptions approach as described in OWASP methodology.
The proposed solution is to store Fernet keys and all other qualifying secrets on LUKS encrypted drive. This satisfies DEK and KEK security requirement. In case customer requests additional hardening this allows to store LUKS KEK on security validated key, e.g. Yubico.

Summary:
- Store Fernet DEK key on LUKS encrypted drive
- Store LUKS KEK key locally, which is good enough for Dev and POC purposes
- For production deployments store LUKS KEK in locally attached Yubico or at least passphrase protected key

References:
https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile#howto-automatically-unlock-luks-encrypted-drives-with-a-keyfile
https://www.howtoforge.com/ubuntu-two-factor-authentication-with-yubikey-for-harddisk-encryption-with-luks

Sergey Reshetnyak (sreshetniak) on 2017-01-13

Changed in fuel-ccp:
assignee:	nobody → Dmitry Klenov (dklenov)
status:	New → Triaged
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-20: Fix proposed to fuel-ccp (master)

Fix proposed to branch: master
Review: https://review.openstack.org/423234

Changed in fuel-ccp:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-02:

Fix proposed to branch: master
Review: https://review.openstack.org/428055

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-02: Change abandoned on fuel-ccp (master)

Change abandoned by Dmitry Klenov (<email address hidden>) on branch: master
Review: https://review.openstack.org/423234
Reason: Abandoning due to decision to change implementation approach.
New review: https://review.openstack.org/#/c/428055/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-02: Fix proposed to fuel-ccp-keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/428074

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-14: Fix merged to fuel-ccp (master)

Reviewed: https://review.openstack.org/428055
Committed: https://git.openstack.org/cgit/openstack/fuel-ccp/commit/?id=80447e7411fb446f6265d60bdc4c9d772fe15e0b
Submitter: Jenkins
Branch: master

commit 80447e7411fb446f6265d60bdc4c9d772fe15e0b
Author: Dmitry Klenov <email address hidden>
Date: Fri Jan 20 09:42:08 2017 +0000

Secret support

    Support of k8s secrets is introduced. To create a secret, put
    an additional section 'secrets' to the definition
    of the service:

    secrets:
      name-for-reference:
        type: "Opaque"
        data:
          "file1": "some content"
          "file2": "another one"
        secret:
            secretName: name-in-k8s
        path: /where/to/mount

You can reference to this secret from the container definition:

    daemon:
      secrets:
        - name-for-reference

The referenced secret must be defined in the 'secrets' section.

    Change-Id: Iaaede4ccb94c99d70f3ecad040d5ab6c41428c5e
    Partial-Bug: #1651392
    Partial-Bug: #1651394

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-14: Fix merged to fuel-ccp-keystone (master)

Reviewed: https://review.openstack.org/426092
Committed: https://git.openstack.org/cgit/openstack/fuel-ccp-keystone/commit/?id=f6a75158c2dd32720ed178d91ef2b6df40c6984a
Submitter: Jenkins
Branch: master

commit f6a75158c2dd32720ed178d91ef2b6df40c6984a
Author: Dmitry Klenov <email address hidden>
Date: Tue Jan 17 09:05:11 2017 +0000

Fernet keys rotation action

Mechanism to rotate fernet keys is added. CCP operator can use one
of two ways to rotate keys:

    1. Manual rotation.
    Pre-generate keys manually and distribute them to keystone pod(s).
    To do it, operator needs to put generated keys to the ccp config file
    in the following format:

    configs:
        keystone:
            fernet_keys:
                "0": <key-0>
                "2": <key-2>
                "3": <key-3>

Then, execute custom action 'fernet-rotate'. The keys will be placed
to the k8s secret.

    2. Automatic rotation.
    Do not put keys to config, just execute 'fernet-rotate'. Keys will be
    automatically rotated and put to proper secret.

    Partial-Bug: #1651392
    Partial-Bug: #1651394
    Change-Id: I577b3f36a12d14b4b5d546d9633d4629eb5d8a37

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-14:

Reviewed: https://review.openstack.org/428074
Committed: https://git.openstack.org/cgit/openstack/fuel-ccp-keystone/commit/?id=cef1b979ba6ca4dba34e815e860d28cc7f6440c6
Submitter: Jenkins
Branch: master

commit cef1b979ba6ca4dba34e815e860d28cc7f6440c6
Author: Dmitry Klenov <email address hidden>
Date: Fri Jan 27 07:08:58 2017 +0000

Enable fernet keys generation

    This change effectively enables fernet keys generation and their
    usage via the mechanism of k8s secrets. Legacy approach with
    pre-generated fernet key is removed.

    Change-Id: Ibdf0a0eafb48930d5536f35511be78c1e5df9921
    Partial-Bug: #1651392
    Partial-Bug: #1651394
    Depends-On: Iaaede4ccb94c99d70f3ecad040d5ab6c41428c5e
    Depends-On: I577b3f36a12d14b4b5d546d9633d4629eb5d8a37

Dmitry Klenov (dklenov) on 2017-02-15

Changed in fuel-ccp:
status:	In Progress → Fix Committed

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.