Barbican depends on Keystone though for authentication. Its not a silver bullet here.
Kevin ________________________________ From: Dolph Mathews [dolph.math...@gmail.com] Sent: Monday, July 27, 2015 10:53 AM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [Keystone][Fernet] HA SQL backend for Fernet keys Although using a node's *local* filesystem requires external configuration management to manage the distribution of rotated keys, it's always available, easy to secure, and can be updated atomically per node. Note that Fernet's rotation strategy uses a staged key that can be distributed to all nodes in advance of it being used to create new tokens. Also be aware that you wouldn't want to store encryption keys in plaintext in a shared database, so you must introduce an additional layer of complexity to solve that problem. Barbican seems like much more logical next-step beyond the local filesystem, as it shifts the burden onto a system explicitly designed to handle this issue (albeit in a multitenant environment). On Mon, Jul 27, 2015 at 12:01 PM, Alexander Makarov <amaka...@mirantis.com<mailto:amaka...@mirantis.com>> wrote: Greetings! I'd like to discuss pro's and contra's of having Fernet encryption keys stored in a database backend. The idea itself emerged during discussion about synchronizing rotated keys in HA environment. Now Fernet keys are stored in the filesystem that has some availability issues in unstable cluster. OTOH, making SQL highly available is considered easier than that for a filesystem. -- Kind Regards, Alexander Makarov, Senior Software Developer, Mirantis, Inc. 35b/3, Vorontsovskaya St., 109147, Moscow, Russia Tel.: +7 (495) 640-49-04<tel:%2B7%20%28495%29%20640-49-04> Tel.: +7 (926) 204-50-60<tel:%2B7%20%28926%29%20204-50-60> Skype: MAKAPOB.AJIEKCAHDP __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
