OpenStack Identity (keystone)

Use redis to store/rotate fernet keys

Bug #1579172 reported by Steve Martinelli on 2016-05-06

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Expired	Wishlist	Unassigned

Bug Description

Currently the only option for fernet keys is to store them on a file system, and replicate and rotate them using tools such as rsync.

It would be nice to use something like redis to store these keys instead.

Tags:

Revision history for this message

Dolph Mathews (dolph) wrote on 2016-07-06:

Why Redis, specifically? That would have all the same security issues as storing them in SQL.

Changed in keystone:
importance:	Undecided → Wishlist
status:	New → Incomplete
tags:	added: fernet
summary:	- RFE: use redis to store/rotate fernet keys + Use redis to store/rotate fernet keys

Revision history for this message

Guang Yee (guang-yee) wrote on 2016-07-06:

Dolph, I agree, Redis would have the same security issues. We are working on a POC to see if those keys can be managed by Barbican. Will update our findings once we have the POC completed.

Revision history for this message

David Stanek (dstanek) wrote on 2016-07-11:

I agree with Dolph and Guang here. There are too many things we would need to do to make this secure. We already hash user passwords that are stored in the database so following suite we would probably encrypt the keys. That means we have encryption keys to decrypt the fernet keys on disk anyway.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-09-10:

[Expired for OpenStack Identity (keystone) because there has been no activity for 60 days.]

Changed in keystone:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.