-----Original Message----- From: Dave McCowan (dmccowan) <dmcco...@cisco.com> Reply: OpenStack Development Mailing List (not for usage questions) <openstack-dev@lists.openstack.org> Date: January 16, 2017 at 13:03:41 To: OpenStack Development Mailing List (not for usage questions) <openstack-dev@lists.openstack.org> Subject: Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still? > Yep. Barbican supports four backend secret stores. [1] > > The first (Simple Crypto) is easy to deploy, but not extraordinarily > secure, since the secrets are encrypted using a static key defined in the > barbican.conf file. > > The second and third (PKCS#11 and KMIP) are secure, but require an HSM as > a hardware base to encrypt and/or store the secrets. > The fourth (Dogtag) is secure, but requires a deployment of Dogtag to > encrypt and store the secrets. > > We do not currently have a secret store that is both highly secure and > easy to deploy/manage. > > We, the Barbican community, are very open to any ideas, blueprints, or > patches on how to achieve this. > In any of the homegrown per-project secret stores, has a solution been > developed that solves both of these? > > > [1] > http://docs.openstack.org/project-install-guide/key-manager/draft/barbican- > backend.html
So there seems to be a consensus that Vault is a good easy and secure solution to deploy. Can Barbican use that as a backend secret store? -- Ian Cordasco __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev