Fernet Key Store

bp fernet-key-store

The existing Fernet implementation uses a file-backed key repository for storing Fernet keys. A security optimization that can be made is to put the keys into a dedicated key manager instead of having the Fernet keys on disk.

Problem Description

Fernet currently doesn’t support putting the keys used for encryption anywhere except on disk. Providing a pluggable key manager would allow deployers to use dedicated key storage tools to secure Fernet encryption keys.

Proposed Change

There is already an existing interface defined as a @property object of the keystone.token.providers.fernet.token_formatters.TokenFormatter() class. This interface could be defined through a Fernet configuration option like CONF.fernet_tokens.backend. By default the backend could be the existing file-based implementation, but an operator could specify a different backend using configuration. For example, Barbican or Castellan could be used to store Fernet keys.

Alternatives

Continue to store keys on disk and use all the existing management tools.

Security Impact

Key rotation and distribution may change depending on the implementation being used. This could be considered a security impact.

Notifications Impact

None

Other End User Impact

None

Performance Impact

None

Other Deployer Impact

The key management tooling provided in keystone-manage may have to change to support other key backends.

Developer Impact

None

Implementation

Assignee(s)

Primary assignee:

mnikolaenko

Other contributors:

breton (bbobrov)

Work Items

• Implement manager layer, define interfaces
• Implement files backend that would preserve current behavior
• Decide on and implement another backend, discussed in another spec

Dependencies

Documentation Impact

References

fernet crypto attribute