Hi Folks,
Keystone supports Fernet tokens which have payload encrypted by AES 128 bit
key.
Although AES 128 bit key looks secure enough for most OpenStack deployments
[2], one may would like to rotate encryption keys according to already
proposed 3 step key rotation scheme (in case keys get
Adam,
For 1, do we let user configure max_active_keys? what's the default?
Please note that there is a risk that an active token may be
invalidated if Fernet key rotation removes keys early. So that's a
potential issue to keep in mind (relation of token expiry to period of
key rotation).
On Thu, Jul 16, 2015 at 10:29 AM, Davanum Srinivas dava...@gmail.com
wrote:
Adam,
For 1, do we let user configure max_active_keys? what's the default?
The default in keystone is 3, simply to support having one key in each of
the three phases of rotation. You can increase it from there per