[Cryptography-dev] Key storages
Boris Bobrov
bbobrov at mirantis.com
Mon Dec 19 16:17:11 EST 2016
Hi!
I work on OpenStack Keystone. We use Fernet keys for our tokens. A
token is a basically a tuple encrypted with fernet key.
Fernet keys need to be rotated once in a while. Now we store them on
disk. But it is problematic to rotate them in containers, because
containers are supposed to be immutable.
So idea of key storages came up. For example, we could store the
keys in a database. Or in OpenStack Barbican, which is a REST API
designed for the secure storage, provisioning and management of
secrets such as encryption keys. Or in Custodia,
https://github.com/latchset/custodia
However, it doesn't sound like this should be in Keystone. It is
not keystone-specific and all Fernet keys users will probably
benefit of that. What do you think about adding this sort of
functionality to cryptography?
The idea is to define an abstract class in cryptography for a storage.
An instance of storage will be passed to MultiFernet, which will
read the keys from there, create individual instances of
fernet.Fernet and perform all the usual stuff. Storage classes can
be implemented inside cryptography or outside of it.
What do you think about this?
More information about the Cryptography-dev
mailing list