Fernet keys should not be hardcoded

Bug #1651392 reported by Boris Bobrov on 2016-12-20
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
fuel-ccp
High
Dmitry Klenov

Bug Description

Fernet keys are now hardcoded like this: https://github.com/openstack/fuel-ccp-keystone/blob/master/service/files/defaults.yaml#L21 . This is bad because it generally compromises security. Instead, the tokens should be generated for each deployment.

Boris Bobrov (bbobrov) on 2016-12-20
information type: Private Security → Public Security
Adam Heczko (aheczko-mirantis) wrote :

Basing on various customers input we should consider more generic security requirements:

1. Keys, passwords and secrets should never be tied to the Fuel CCP source code
2. Fuel CCP or k8s is able to utilise a HSM to store secrets

However Fuel CCP, Keystone nor Kubernetes don't use HSM currently. Reasonable solution is to propose a compensating control and store secrets encrypted on local disk. To further protect secrets from compromisation utilize multiple encryptions approach as described in OWASP methodology.
The proposed solution is to store Fernet keys and all other qualifying secrets on LUKS encrypted drive. This satisfies DEK and KEK security requirement. In case customer requests additional hardening this allows to store LUKS KEK on security validated key, e.g. Yubico.

Summary:
- Store Fernet DEK key on LUKS encrypted drive
- Store LUKS KEK key locally, which is good enough for Dev and POC purposes
- For production deployments store LUKS KEK in locally attached Yubico or at least passphrase protected key

References:
https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile#howto-automatically-unlock-luks-encrypted-drives-with-a-keyfile
https://www.howtoforge.com/ubuntu-two-factor-authentication-with-yubikey-for-harddisk-encryption-with-luks

Changed in fuel-ccp:
assignee: nobody → Dmitry Klenov (dklenov)
status: New → Triaged
importance: Undecided → High

Fix proposed to branch: master
Review: https://review.openstack.org/423234

Changed in fuel-ccp:
status: Triaged → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/428055

Change abandoned by Dmitry Klenov (<email address hidden>) on branch: master
Review: https://review.openstack.org/423234
Reason: Abandoning due to decision to change implementation approach.
New review: https://review.openstack.org/#/c/428055/

Reviewed: https://review.openstack.org/428055
Committed: https://git.openstack.org/cgit/openstack/fuel-ccp/commit/?id=80447e7411fb446f6265d60bdc4c9d772fe15e0b
Submitter: Jenkins
Branch: master

commit 80447e7411fb446f6265d60bdc4c9d772fe15e0b
Author: Dmitry Klenov <email address hidden>
Date: Fri Jan 20 09:42:08 2017 +0000

    Secret support

    Support of k8s secrets is introduced. To create a secret, put
    an additional section 'secrets' to the definition
    of the service:

    secrets:
      name-for-reference:
        type: "Opaque"
        data:
          "file1": "some content"
          "file2": "another one"
        secret:
            secretName: name-in-k8s
        path: /where/to/mount

    You can reference to this secret from the container definition:

    daemon:
      secrets:
        - name-for-reference

    The referenced secret must be defined in the 'secrets' section.

    Change-Id: Iaaede4ccb94c99d70f3ecad040d5ab6c41428c5e
    Partial-Bug: #1651392
    Partial-Bug: #1651394

Reviewed: https://review.openstack.org/426092
Committed: https://git.openstack.org/cgit/openstack/fuel-ccp-keystone/commit/?id=f6a75158c2dd32720ed178d91ef2b6df40c6984a
Submitter: Jenkins
Branch: master

commit f6a75158c2dd32720ed178d91ef2b6df40c6984a
Author: Dmitry Klenov <email address hidden>
Date: Tue Jan 17 09:05:11 2017 +0000

    Fernet keys rotation action

    Mechanism to rotate fernet keys is added. CCP operator can use one
    of two ways to rotate keys:

    1. Manual rotation.
    Pre-generate keys manually and distribute them to keystone pod(s).
    To do it, operator needs to put generated keys to the ccp config file
    in the following format:

    configs:
        keystone:
            fernet_keys:
                "0": <key-0>
                "2": <key-2>
                "3": <key-3>

    Then, execute custom action 'fernet-rotate'. The keys will be placed
    to the k8s secret.

    2. Automatic rotation.
    Do not put keys to config, just execute 'fernet-rotate'. Keys will be
    automatically rotated and put to proper secret.

    Partial-Bug: #1651392
    Partial-Bug: #1651394
    Change-Id: I577b3f36a12d14b4b5d546d9633d4629eb5d8a37

Reviewed: https://review.openstack.org/428074
Committed: https://git.openstack.org/cgit/openstack/fuel-ccp-keystone/commit/?id=cef1b979ba6ca4dba34e815e860d28cc7f6440c6
Submitter: Jenkins
Branch: master

commit cef1b979ba6ca4dba34e815e860d28cc7f6440c6
Author: Dmitry Klenov <email address hidden>
Date: Fri Jan 27 07:08:58 2017 +0000

    Enable fernet keys generation

    This change effectively enables fernet keys generation and their
    usage via the mechanism of k8s secrets. Legacy approach with
    pre-generated fernet key is removed.

    Change-Id: Ibdf0a0eafb48930d5536f35511be78c1e5df9921
    Partial-Bug: #1651392
    Partial-Bug: #1651394
    Depends-On: Iaaede4ccb94c99d70f3ecad040d5ab6c41428c5e
    Depends-On: I577b3f36a12d14b4b5d546d9633d4629eb5d8a37

Dmitry Klenov (dklenov) on 2017-02-15
Changed in fuel-ccp:
status: In Progress → Fix Committed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers