[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[oslo][security-sig] How to protect plain-text passwords in local.conf

Hi Akhil,

Right now oslo.config is capable of loading configuration values from files
(default), environment variables (env driver), command line arguments
(default), remote files (remote_file driver) and castellan (castellan

This gives you enough flexibility to come up with a hardening strategy
according to the use case. If you have any questions on how to use each
driver I'd be glad to answer as I wrote most of them.

Best regards,
Moisés Guimarães

Em ter, 9 de abr de 2019 às 14:43, Jeremy Stanley <fungi at yuggoth.org>

> On 2019-04-09 08:21:26 +0000 (+0000), Akhil Jayakumar (akjayaku) wrote:
> > Is there a way we can encrypt passwords in local.conf?
> >
> > If so could you please point me to the reference?
> [I've tagged the Oslo team and Security SIG in the subject of my
> reply to bring this to the attention of those audiences as well.]
> The problem with actually encrypting shared secrets in the
> configuration directly is that whatever reads that config needs
> access to the corresponding decryption key, so you haven't solved
> the problem only created a new secret you also need to encrypt...
> and it's turtles all the way down from there.
> The oslo.config module supports pointing at external configuration
> sources through the use of backend drivers[1]. One such optional
> driver is castellan[2] which is designed for (among other things)
> retrieving values from secure data storage applications like
> Barbican and Vault. The original specification[3] for this
> implementation in the Queens release a year ago describes the use
> case fairly well, as does this poster presentation[4] from
> EuroPython last year. Hope this helps!
> [1] https://docs.openstack.org/oslo.config/latest/reference/drivers.html
> [2] https://docs.openstack.org/castellan/latest/
> [3]
> https://specs.openstack.org/openstack/oslo-specs/specs/queens/oslo-config-drivers.html
> [4]
> https://ep2018.europython.eu/media/conference/slides/mastering-applicationservice-configuration.pdf
> --
> Jeremy Stanley

Moisés Guimarães
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190409/3d393181/attachment-0001.html>