Adam, For 1, do we let user configure max_active_keys? what's the default?
Please note that there is a risk that an active token may be invalidated if Fernet key rotation removes keys early. So that's a potential issue to keep in mind (relation of token expiry to period of key rotation). thanks, dims On Thu, Jul 16, 2015 at 10:22 AM, Adam Heczko <ahec...@mirantis.com> wrote: > Hi Folks, > Keystone supports Fernet tokens which have payload encrypted by AES 128 bit > key. > Although AES 128 bit key looks secure enough for most OpenStack deployments > [2], one may would like to rotate encryption keys according to already > proposed 3 step key rotation scheme (in case keys get compromised or > organizational security policy requirement). > Also creation and initial AES key distribution between Keystone HA nodes > could be challenging and this complexity could be handled by Fuel deployment > tool. > > In regards to Fuel, I'd like to: > 1. Add support for initializing Keystone's Fernet signing keys to Fuel > during OpenStack cluster (Keystone) deployment > 2. Add support for rotating Keystone's Fernet signing keys to Fuel according > to some automatic schedule (for example one rotation per week) or triggered > from the Fuel web user interface or through Fuel API. > > These two capabilities will be implemented in Fuel by related blueprint [1]. > > [1] https://blueprints.launchpad.net/fuel/+spec/fernet-tokens-support > [2] http://www.eetimes.com/document.asp?doc_id=1279619 > > > Regards, > > -- > Adam Heczko > Security Engineer @ Mirantis Inc. > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- Davanum Srinivas :: https://twitter.com/dims __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
