> From: Jagga Soorma [mailto:jagg...@gmail.com] > Sent: 29 March 2016 04:07 > To: openstack > Subject: [Openstack] Key management > > Hey Guys, > > I have a new openstack environment and one thing I have noticed is that my > keys are all over > the place now which got me thinking what others might be doing for key > management? > Just curious if there is a better more central/secure way to store my keys. > > Thanks!
Hi Jagger, In it's default configuration, OpenStack doesn't have a lot of 'keys' in the traditional cryptographic sense. Although it certainly has a lot of sensitive credentials sprayed about the place in flat files. To address key management specifically, you should take a look at the Barbican project[1], this is designed to make handling cryptographic keys (and other sensitive primitives) safe and easy to do within OpenStack. As for the rest of OpenStack, it's really down to your distribution to appropriately secure system files. Many distributors will use a combination of mandatory and discretionary access controls (MAC & DAC) to limit access to on-disk credentials. Typically managing their lifetime through some deployment configuration tool such as Ansible, Salt, Chef, Puppet etc. Personally I've been experimenting with some more real-time management of system level credentials using etcd. However that's early days. -Rob [1] https://wiki.openstack.org/wiki/Barbican _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
