On Thu, Jul 16, 2015 at 10:29 AM, Davanum Srinivas
wrote:
> Adam,
>
> For 1, do we let user configure max_active_keys? what's the default?
>
The default in keystone is 3, simply to support having one key in each of
the three phases of rotation. You can increase it from there per your
desired rot
Adam,
For 1, do we let user configure max_active_keys? what's the default?
Please note that there is a risk that an active token may be
invalidated if Fernet key rotation removes keys early. So that's a
potential issue to keep in mind (relation of token expiry to period of
key rotation).
thanks,
Hi Folks,
Keystone supports Fernet tokens which have payload encrypted by AES 128 bit
key.
Although AES 128 bit key looks secure enough for most OpenStack deployments
[2], one may would like to rotate encryption keys according to already
proposed 3 step key rotation scheme (in case keys get comprom