2.5 KiB
Fernet Key Store
The existing Fernet implementation uses a file-backed key repository for storing Fernet keys. A security optimization that can be made is to put the keys into a dedicated key manager instead of having the Fernet keys on disk.
Problem Description
Fernet currently doesn't support putting the keys used for encryption anywhere except on disk. Providing a pluggable key manager would allow deployers to use dedicated key storage tools to secure Fernet encryption keys.
Proposed Change
There is already an existing interface defined as a @property object of the keystone.token.providers.fernet.token_formatters.TokenFormatter() class. This interface could be defined through a Fernet configuration option like CONF.fernet_tokens.backend. By default the backend could be the existing file-based implementation, but an operator could specify a different backend using configuration. For example, Barbican or Castellan could be used to store Fernet keys.
Alternatives
Continue to store keys on disk and use all the existing management tools.
Security Impact
Key rotation and distribution may change depending on the implementation being used. This could be considered a security impact.
Notifications Impact
None
Other End User Impact
None
Performance Impact
None
Other Deployer Impact
The key management tooling provided in keystone-manage
may have to change to support other key backends.
Developer Impact
None
Implementation
Assignee(s)
- Primary assignee:
-
mnikolaenko
- Other contributors:
-
breton (bbobrov)
Work Items
- Implement manager layer, define interfaces
- Implement
files
backend that would preserve current behavior - Decide on and implement another backend, discussed in another spec