Hi Folks, Keystone supports Fernet tokens which have payload encrypted by AES 128 bit key. Although AES 128 bit key looks secure enough for most OpenStack deployments [2], one may would like to rotate encryption keys according to already proposed 3 step key rotation scheme (in case keys get compromised or organizational security policy requirement). Also creation and initial AES key distribution between Keystone HA nodes could be challenging and this complexity could be handled by Fuel deployment tool.
In regards to Fuel, I'd like to: 1. Add support for initializing Keystone's Fernet signing keys to Fuel during OpenStack cluster (Keystone) deployment 2. Add support for rotating Keystone's Fernet signing keys to Fuel according to some automatic schedule (for example one rotation per week) or triggered from the Fuel web user interface or through Fuel API. These two capabilities will be implemented in Fuel by related blueprint [1]. [1] https://blueprints.launchpad.net/fuel/+spec/fernet-tokens-support [2] http://www.eetimes.com/document.asp?doc_id=1279619 Regards, -- Adam Heczko Security Engineer @ Mirantis Inc.
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
