Support encryption of credentials in Keystone to avoid having them stored in plain text in the backend.
Large organizations have security compliance that requires credentials to not be stored in plain text. Credentials in Keystone are currently being stored in the backend and are accessible to anyone with access to the backend. If a backend is compromised by an attacker they can easily get the credentials for any user. Also, anyone within an organization can look at the credentials in the backend bypassing any security access controls offered by Keystone.
Update the credentials driver to support encryption of the blob field in the credential table. Given that there are viable secret providers out there (Barbican, cryptography, etc) The choice of encryption solution should be pluggable. A single key will be used to encrypt the credentials. Key management will be facilitated by allowing two active keys for decryption and a single active key for encryption. All credentials will be encrypted. Key rotation will be done side band. Keys are deployment wide.
Barbican
Improved security of confidential information.
None
None
Encryption will decrease performance.
Deployers will need to manage the keys. Keys will initially be stored in configuration files. This will require a small amount of effort to setup.
None