[
https://issues.apache.org/jira/browse/KUDU-3448?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Attila Bukor reassigned KUDU-3448:
----------------------------------
Assignee: Attila Bukor
> Store IPKI and TSK key material encrypted
> -----------------------------------------
>
> Key: KUDU-3448
> URL: https://issues.apache.org/jira/browse/KUDU-3448
> Project: Kudu
> Issue Type: Improvement
> Reporter: Attila Bukor
> Assignee: Attila Bukor
> Priority: Critical
> Labels: security
>
> Key material for IPKI TLS and TSK should be stored on disk securely, even
> when user data is not encrypted. The symmetric encryption key should be
> derived from a password using PBKDF2 which is a FIPS-approved KDF. The
> masters should have a flag that expects a command which outputs the password
> (similar to {{{}--webserver_private_key_password_cmd{}}}), that way the users
> can integrate with a HSM or choose another way to provide the password
> securely without storing it on a disk.
> Generating new keys or encrypting existing key material is outside the scope
> of this ticket.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
