.. _encrypting-properties: ================================= Managing Sensitive Data in Murano ================================= Overview -------- If you are developing a Murano application that manages sensitive data such as passwords, user data, etc, you may want to ensure this is stored in a secure manner in the Murano backend. Murano offers two `yaql` functions to do this, `encryptData` and `decryptData`. .. note:: Barbican or a similar compatible secret storage backend must be configured to use this feature. Configuring ----------- Murano makes use of Castellan_ to manage encryption using a supported secret storage backend. As of OpenStack Pike, Barbican_ is the only supported backend, and hence is the one tested by the Murano community. To configure Murano to use Barbican, place the following configuration into `murano-engine.conf`:: [key_manager] auth_type = keystone_password auth_url = username = password = user_domain_name = Similarly, place the following configuration into `_50_murano.py` to configure the murano-dashboard end:: KEY_MANAGER = { 'auth_url': '/v3', 'username': '', 'user_domain_name': '', 'password': '', 'project_name': '', 'project_domain_name': '' } .. note:: Horizon config must be valid Python, so the quotes above are important. Example ------- `encryptData(foo)`: Call to encrypt string `foo` in storage. Will return a `uuid` which is used to retrieve the encrypted value. `decryptData(foo_key)`: Call to decrypt and retrieve the value represented by `foo_key` from storage. There is an example application available in the murano repository_. .. _Castellan: https://opendev.org/openstack/castellan .. _Barbican: https://opendev.org/openstack/barbican .. _repository: https://opendev.org/openstack/murano/src/branch/master/contrib/packages/EncryptionDemo