Comment 2 for bug 1587064

@Doug, it is down to threat model of services storing unencrypted passwords with other configuration variables and different threat model for service managing keys/passwords encryption.
Ideally we'd like to have an API for accessing service passwords during services startups/restarts and key management service running with different unix (Linux) UID to separate openstack services with key vault service.
As a good reference please see here:
https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet#Rule_-_Protect_keys_in_a_key_vault
IMO it would be good to try to introduce 'service vault API' under oslo umbrella, just like oslo.rootwrap and oslo.privsep works currently.