2

I want to launch a VM instance on openstack which will then download some files from a secure server. The credentials of the secure server are dynamic and depend on the user launching the instance. I want the user to be able to pass the credentials to the instance in a secure way. I am able to pass the credentials as metadata or userdata but in this case they are passed in clear text and can be easily viewed by anyone who has read access to the instance's metadata. Only the instance owner has access to the instance itself as access is secured with SSH keys, however, I believe the metadata can be viewed by openstack admins and other openstack users. Does anyone have any suggestions on how to pass this data securely?

user3477889
  • 151
  • 7
  • Brainstorming a few ideas without giving thoughts to feasibility: I don't know if Barbican, OpenStacks store for secrets of all sorts, can be used by applications, but I suggest you explore that. A cheaper solution might be encrypting the credentials with the instance's SSH key. Or put them in a Swift object to which only the owner has access (Swift supports encryption). Or an encrypted Cinder volume (in this case, the volume's keys **are** in Barbican). – berndbausch May 19 '21 at 00:40
  • Thank you for the feedback @berndbausch. I have thought about encrypting the passwords with the instance SSH keys, but remember that if I encrypt the passwords with my private key anyone with the public key will be able to decrypt it. The instance has a copy of my public key which allows me to ssh with my private key, but it is possible for others to also get hold of the public key. – user3477889 May 20 '21 at 21:47
  • Not very familiar with Barbican, but I was hoping for a simple solution that I can implement natively with openstack without need to install any new servers, APIs, etc. – user3477889 May 20 '21 at 21:55
  • Encrypt the credentials with the public key. Then, only the holder of the private key can decrypt it. – berndbausch May 20 '21 at 22:00
  • It's not that easy to implement. Normally the instance has the public key and the user of the instance uses his own private key. Also there is no way I am aware of to encrypt stack parameters using a specific key so that they can be decrypted later by the instance. Normally any stack parameters/metadata are just sent as is to the instance, so if user enters plain text credentials they will become plain text stack parameters. – user3477889 May 25 '21 at 19:18

0 Answers0