On 30/08/18 6:29 AM, Lance Bragstad wrote: > > Is that what is being described here ? > > https://docs.openstack.org/keystone/pike/admin/identity-credential-encryption.html > > > This is a separate mechanism for storing secrets, not necessarily > passwords (although I agree the term credentials automatically makes > people assume passwords). This is used if consuming keystone's native > MFA implementation. For example, storing a shared secret between the > user and keystone that is provided as a additional authentication > method along with a username and password combination. >
Is there any interest or plans to potentially allow Keystone's credential store to use Barbican as a storage provider? Encryption already is better than nothing, but if you already have (or will be deploying) a proper secret store with a hardware backend (or at least hardware stored encryption keys) then it might make sense to throw that in Barbican. Or is this also too much of a chicken/egg problem? How safe is it to rely on Barbican availability for MFA secrets and auth?
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
