[Cryptography-dev] Key storages

Ian Cordasco sigmavirus24 at gmail.com
Tue Dec 20 07:16:23 EST 2016


I tend to agree with Alex. There's nothing dealing with persistence in
Cryptography at the moment (whether that be persisting to disk or
elsewhere). This doesn't belong in Cryptography.

On Mon, Dec 19, 2016 at 3:18 PM, Alex Gaynor <alex.gaynor at gmail.com> wrote:
> I'm opposed -- there's no benefit to this being in cryptography itself; this
> API can be totally implemented outside of it.
>
> Alex
>
> On Mon, Dec 19, 2016 at 4:17 PM, Boris Bobrov <bbobrov at mirantis.com> wrote:
>>
>> Hi!
>>
>> I work on OpenStack Keystone. We use Fernet keys for our tokens. A
>> token is a basically a tuple encrypted with fernet key.
>>
>> Fernet keys need to be rotated once in a while. Now we store them on
>> disk. But it is problematic to rotate them in containers, because
>> containers are supposed to be immutable.
>>
>> So idea of key storages came up. For example, we could store the
>> keys in a database. Or in OpenStack Barbican, which is a REST API
>> designed for the secure storage, provisioning and management of
>> secrets such as encryption keys. Or in Custodia,
>> https://github.com/latchset/custodia
>>
>> However, it doesn't sound like this should be in Keystone. It is
>> not keystone-specific and all Fernet keys users will probably
>> benefit of that. What do you think about adding this sort of
>> functionality to cryptography?
>>
>> The idea is to define an abstract class in cryptography for a storage.
>> An instance of storage will be passed to MultiFernet, which will
>> read the keys from there, create individual instances of
>> fernet.Fernet and perform all the usual stuff. Storage classes can
>> be implemented inside cryptography or outside of it.
>>
>> What do you think about this?
>> _______________________________________________
>> Cryptography-dev mailing list
>> Cryptography-dev at python.org
>> https://mail.python.org/mailman/listinfo/cryptography-dev
>
>
>
>
> --
> "I disapprove of what you say, but I will defend to the death your right to
> say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
> "The people's good is the highest law." -- Cicero
> GPG Key fingerprint: D1B3 ADC0 E023 8CA6
>
>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>



-- 
Ian Cordasco


More information about the Cryptography-dev mailing list