10 Encryption of Passwords and Sensitive Data #
In SUSE OpenStack Cloud, sensitive connection data is encrypted. The passwords that are encrypted include:
Inter-service passwords generated by the configuration processor (keystone, MariaDB, RabbitMQ and Cassandra passwords)
Secret keys generated by the configuration processor (MariaDB cluster-id, erlang cookie for RabbitMQ, horizon secret key, keystone admin token)
User-supplied passwords (IPMI passwords, Block Storage back-end passwords)
10.1 SSH Introduction #
What is encrypted | Encryption mechanism | Is password changeable | Is encryption key changeable |
---|---|---|---|
Inter-service passwords and secret keys generated by the configuration processor (keystone, MariaDB, RabbitMQ and Cassandra passwords) | Uses PyCrypto libraries & Ansible vault for encryption | No |
Yes
Passphrase for the encryption key will be prompted when running Ansible
playbook. Can also use command
|
User supplied passwords (IPMI passwords, Block Storage back-end passwords) | OpenSSL | Yes |
Yes The environment variable ARDANA_USER_PASSWORD_ENCRYPT_KEY must contain the key used to encrypt those passwords. |
Other protected data:
The SSH private key used by Ansible to connect to client nodes from the Cloud Lifecycle Manager is protected with a passphrase.
The swift swift-hash prefix and suffix values are encrypted.
All of the Ansible variables generated by the configuration processor are encrypted and held in Ansible Vault.
However, if a user wants to change the encryption keys then that can be done for all categories of password and secret-keys listed below, and the processes are documented.
The SSH private key passphrase needs to be entered once before any Ansible plays are run against the cloud.
The configuration processor encryption key will be prompted for when the relevant Ansible play is run. Once the configuration processor output has been encrypted, all subsequent Ansible plays need to have --ask-ansible-pass added to the command line to ensure that the encryption key which is needed by Ansible is prompted for.
Finally, if user-supplied passwords have been encrypted (this process uses the OpenSSL library) then the environment variable ARDANA_USER_PASSWORD_ENCRYPT_KEY must contain the key used to encrypt those passwords.
In the case where the ARDANA_USER_PASSWORD_ENCRYPT_KEY environment variable is either null, the empty string, or not defined, then no encryption will be performed on your passwords when using the ardanaencrypt.py script.
The generated passwords are stored in Ansible inputs generated by the configuration processor and also in the persistent state information maintained by the configuration processor.
10.2 Protecting sensitive data on the Cloud Lifecycle Manager #
There are a number of mechanisms that can be used to protect sensitive data such as passwords, some Ansible inputs, and the SSH key used by Ansible on the Cloud Lifecycle Manager. See the installation documents for details. Please remember the need to guard against exposure of your environment variables, which may happen through observation over the shoulder.
There are instructions included in the installation documents that show how
to encrypt your data using the ardanaencrypt.py
script. You
may want to change the encryption keys used to protect your sensitive data
in the future and this shows you how:
SSH keys - Run the command below to change the passphrase used to protect the key:
ssh-keygen -f id_rsa -p
configuration processor Key - If you wish to change an encryption password that you have already used when running the configuration processor then enter the existing password at the first prompt and the new password at the second prompt when running the configuration processor playbook. See Book “Deployment Guide using Cloud Lifecycle Manager”, Chapter 24 “Installing Mid-scale and Entry-scale KVM” for more details.
IPMI passwords if encrypted with
ardanaencrypt.py
- Rerun the utility specifying a new encryption key when prompted. You will need to enter the plain text passwords at the password prompt.
10.3 Interacting with Encrypted Files #
Once you have enabled encryption in your environment you may have a need to interact with these encrypted files at a later time. This section will show you how.
ardanaencrypt.py script password encryption
If you used the ardanaencrypt.py
script to encrypt your IPMI
or other passwords and have a need to view them later, you can do so with
these steps.
You will want to ensure that the
ARDANA_USER_PASSWORD_ENCRYPT_KEY
environment variable is set
prior to running these commands:
export ARDANA_USER_PASSWORD_ENCRYPT_KEY="<encryption_key>"
To view an encrypted password, you can use this command below which will promot you for the encrypted password value. It will then output the decrypted value:
./ardanaencrypt.py -d
Configuration processor encryption key
If you have used the encryption options available with the configuration processor, which uses Ansible vault, you can do so with these commands. Each of these commands will prompt you for the password you used when setting the encryption initially.
To view an encrypted file in read-only mode, use this command:
ansible-vault view <filename>
To edit an encrypted file, use this command. This allows you to edit a decrypted version of the file without the need to decrypt and re-encrypt it:
ansible-vault edit <filename>
For other available commands, use the help file:
ansible-vault -h