[ https://issues.apache.org/jira/browse/KUDU-3448?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Attila Bukor reassigned KUDU-3448: ---------------------------------- Assignee: Attila Bukor > Store IPKI and TSK key material encrypted > ----------------------------------------- > > Key: KUDU-3448 > URL: https://issues.apache.org/jira/browse/KUDU-3448 > Project: Kudu > Issue Type: Improvement > Reporter: Attila Bukor > Assignee: Attila Bukor > Priority: Critical > Labels: security > > Key material for IPKI TLS and TSK should be stored on disk securely, even > when user data is not encrypted. The symmetric encryption key should be > derived from a password using PBKDF2 which is a FIPS-approved KDF. The > masters should have a flag that expects a command which outputs the password > (similar to {{{}--webserver_private_key_password_cmd{}}}), that way the users > can integrate with a HSM or choose another way to provide the password > securely without storing it on a disk. > Generating new keys or encrypting existing key material is outside the scope > of this ticket. -- This message was sent by Atlassian Jira (v8.20.10#820010)