Security

Cryptography

TLS transport encryption

All network endpoints exposed by OpenStack services deployed within MicroStack are secured using TLS. MicroStack allows the user to provide their own SSL certificates, enabling the use of certificates issued by their preferred Certificate Authority.

TLS certificate private keys are managed by the TLS Interface Library which makes use of Python’s cryptography library to generate 2048-bit, 65537-exponent RSA keys for X.509 certificates.

OVN: Network virtualisation

OVN (open virtual network) network virtualisation is implemented in OpenStack MicroStack and is secured through TLS (see TLS transport encryption for details). User authentication is implemented through the use of client certificates ensuring only trusted components can access the OVN service.

Keystone: Authentication tokens

Keystone (The OpenStack Identity Service) issues tokens upon successful authentication, which are used to access other OpenStack services. Keystone uses Fernet symmetric encryption tokens by default which consist of a 128-bit AES key and a 128-bit SHA256 HMAC signing key. Python’s cryptography library distributed in Ubuntu provides the cryptographic functions necessary for token generation and validation.

Keystone can integrate with external identity systems like LDAP, SAML, and OpenID Connect, allowing for centralised identity management and authentication workflows.

Barbican: Secrets management

Barbican (The OpenStack Secrets Service) provides secrets management for end users of a MicroStack Cloud and integrates with Vault for storage of secrets. Secrets managed by Barbican can be used for encrypting volumes in Cinder or TLS private keys for load balancers. Barbican does not perform any cryptographic operations directly.

Vault: Secrets Storage

The Vault service used by Barbican stores and retrieves information using an 4096-bit RSA encryption key. Access to the encryption key is protected using a root key which in turn is protected by multiple unseal keys providing a Shamir seal, of which a configurable number (typically 3 out of 5) must be provided to ‘unseal’ the Vault deployment and provide the service access to the root key which is then used to access the main encryption key. Vault uses the standard Golang Crypto module for cryptographic operations.

Access to Vault is secured using TLS (see TLS transport encryption).

Last updated 7 days ago. Help improve this document in the forum.