@Doug, it is down to threat model of services storing unencrypted passwords with other configuration variables and different threat model for service managing keys/passwords encryption.
Ideally we'd like to have an API for accessing service passwords during services startups/restarts and key management service running with different unix (Linux) UID to separate openstack services with key vault service.
As a good reference please see here: https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet#Rule_-_Protect_keys_in_a_key_vault
IMO it would be good to try to introduce 'service vault API' under oslo umbrella, just like oslo.rootwrap and oslo.privsep works currently.
@Doug, it is down to threat model of services storing unencrypted passwords with other configuration variables and different threat model for service managing keys/passwords encryption. /www.owasp. org/index. php/Cryptograph ic_Storage_ Cheat_Sheet# Rule_-_ Protect_ keys_in_ a_key_vault
Ideally we'd like to have an API for accessing service passwords during services startups/restarts and key management service running with different unix (Linux) UID to separate openstack services with key vault service.
As a good reference please see here:
https:/
IMO it would be good to try to introduce 'service vault API' under oslo umbrella, just like oslo.rootwrap and oslo.privsep works currently.