Attila Bukor created KUDU-3448: ---------------------------------- Summary: Store IPKI and TSK key material encrypted Key: KUDU-3448 URL: https://issues.apache.org/jira/browse/KUDU-3448 Project: Kudu Issue Type: Improvement Reporter: Attila Bukor
Key material for IPKI TLS and TSK should be stored on disk securely, even when user data is not encrypted. The symmetric encryption key should be derived from a password using PBKDF2 which is a FIPS-approved KDF. The masters should have a flag that expects a command which outputs the password (similar to {{{}--webserver_private_key_password_cmd{}}}), that way the users can integrate with a HSM or choose another way to provide the password securely without storing it on a disk. Generating new keys or encrypting existing key material is outside the scope of this ticket. -- This message was sent by Atlassian Jira (v8.20.10#820010)