Browse Source

Merge "docs: Add documentation on data redaction"

changes/22/610722/3
Zuul 8 months ago
parent
commit
27aeeb8fea
1 changed files with 27 additions and 0 deletions
  1. 27
    0
      doc/source/users/encryption.rst

+ 27
- 0
doc/source/users/encryption.rst View File

@@ -51,6 +51,33 @@ However, Deckhand will attempt to use Barbican's `other`_ secret types where
51 51
 possible. For example, Deckhand will use "public" for document types with kind
52 52
 ``PublicKey``.
53 53
 
54
+.. _data-redaction:
55
+
56
+Data Redaction
57
+==============
58
+
59
+Deckhand supports redacting sensitive document data, including:
60
+
61
+* ``data`` section:
62
+
63
+  * to avoid exposing the Barbican secret reference, in the case of the
64
+    "GET documents" endpoint
65
+  * to avoid exposing actual secret payloads, in the case of the
66
+    "GET rendered-documents" endpoint
67
+
68
+* ``substitutions[n].src|dest`` sections:
69
+
70
+  * to avoid reverse-engineering where sensitive data is substituted from or
71
+    into (in case the sensitive data is derived via :ref:`substitution`)
72
+
73
+.. note::
74
+
75
+  Document sections related to :ref:`layering` do not require redaction because
76
+  secret documents are :ref:`control-documents`, which cannot be layered
77
+  together.
78
+
79
+See the :ref:`api-ref` for more information on how to redact sensitive data.
80
+
54 81
 .. _Barbican: https://docs.openstack.org/barbican/latest/api/
55 82
 .. _restriction: https://docs.openstack.org/barbican/latest/api/reference/secrets.html#get-v1-secrets
56 83
 .. _any: https://github.com/openstack/barbican/blob/7991f8b4850d76d97c3482428638f788f5798a56/barbican/plugin/interface/secret_store.py#L272

Loading…
Cancel
Save