[openstack-dev] [Fuel] Add support for Keystone's Fernet encryption keys management: initialization, rotation
Hi Folks, Keystone supports Fernet tokens which have payload encrypted by AES 128 bit key. Although AES 128 bit key looks secure enough for most OpenStack deployments [2], one may would like to rotate encryption keys according to already proposed 3 step key rotation scheme (in case keys get compromised or organizational security policy requirement). Also creation and initial AES key distribution between Keystone HA nodes could be challenging and this complexity could be handled by Fuel deployment tool. In regards to Fuel, I'd like to: 1. Add support for initializing Keystone's Fernet signing keys to Fuel during OpenStack cluster (Keystone) deployment 2. Add support for rotating Keystone's Fernet signing keys to Fuel according to some automatic schedule (for example one rotation per week) or triggered from the Fuel web user interface or through Fuel API. These two capabilities will be implemented in Fuel by related blueprint [1]. [1] https://blueprints.launchpad.net/fuel/+spec/fernet-tokens-support [2] http://www.eetimes.com/document.asp?doc_id=1279619 Regards, -- Adam Heczko Security Engineer @ Mirantis Inc. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Fuel] Add support for Keystone's Fernet encryption keys management: initialization, rotation
Adam, For 1, do we let user configure max_active_keys? what's the default? Please note that there is a risk that an active token may be invalidated if Fernet key rotation removes keys early. So that's a potential issue to keep in mind (relation of token expiry to period of key rotation). thanks, dims On Thu, Jul 16, 2015 at 10:22 AM, Adam Heczko ahec...@mirantis.com wrote: Hi Folks, Keystone supports Fernet tokens which have payload encrypted by AES 128 bit key. Although AES 128 bit key looks secure enough for most OpenStack deployments [2], one may would like to rotate encryption keys according to already proposed 3 step key rotation scheme (in case keys get compromised or organizational security policy requirement). Also creation and initial AES key distribution between Keystone HA nodes could be challenging and this complexity could be handled by Fuel deployment tool. In regards to Fuel, I'd like to: 1. Add support for initializing Keystone's Fernet signing keys to Fuel during OpenStack cluster (Keystone) deployment 2. Add support for rotating Keystone's Fernet signing keys to Fuel according to some automatic schedule (for example one rotation per week) or triggered from the Fuel web user interface or through Fuel API. These two capabilities will be implemented in Fuel by related blueprint [1]. [1] https://blueprints.launchpad.net/fuel/+spec/fernet-tokens-support [2] http://www.eetimes.com/document.asp?doc_id=1279619 Regards, -- Adam Heczko Security Engineer @ Mirantis Inc. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Davanum Srinivas :: https://twitter.com/dims __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Fuel] Add support for Keystone's Fernet encryption keys management: initialization, rotation
On Thu, Jul 16, 2015 at 10:29 AM, Davanum Srinivas dava...@gmail.com wrote: Adam, For 1, do we let user configure max_active_keys? what's the default? The default in keystone is 3, simply to support having one key in each of the three phases of rotation. You can increase it from there per your desired rotation frequency and token lifespan. Please note that there is a risk that an active token may be invalidated if Fernet key rotation removes keys early. So that's a potential issue to keep in mind (relation of token expiry to period of key rotation). Keystone's three phase rotation scheme avoids this by allowing you to pre-stage keys across the cluster before using them for encryption. thanks, dims On Thu, Jul 16, 2015 at 10:22 AM, Adam Heczko ahec...@mirantis.com wrote: Hi Folks, Keystone supports Fernet tokens which have payload encrypted by AES 128 bit key. Although AES 128 bit key looks secure enough for most OpenStack deployments [2], one may would like to rotate encryption keys according to already proposed 3 step key rotation scheme (in case keys get compromised or organizational security policy requirement). Also creation and initial AES key distribution between Keystone HA nodes could be challenging and this complexity could be handled by Fuel deployment tool. In regards to Fuel, I'd like to: 1. Add support for initializing Keystone's Fernet signing keys to Fuel during OpenStack cluster (Keystone) deployment 2. Add support for rotating Keystone's Fernet signing keys to Fuel according to some automatic schedule (for example one rotation per week) or triggered from the Fuel web user interface or through Fuel API. These two capabilities will be implemented in Fuel by related blueprint [1]. [1] https://blueprints.launchpad.net/fuel/+spec/fernet-tokens-support [2] http://www.eetimes.com/document.asp?doc_id=1279619 Regards, -- Adam Heczko Security Engineer @ Mirantis Inc. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Davanum Srinivas :: https://twitter.com/dims __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev