315339a96e
A new congress/encryption.py module handles all aspects of encryption. The datasource DB interface class encapsulates all the encryption (on write) and decryption (on read). A new config option `encryption_key_path` has been added to the DEFAULT section to specify the path to the directory containing encryption keys for encrypting secret fields in datasource config. The default value works for most deployments. A new key is automatically generated and placed in the `key_path` directory if none exists. Temporarily disabled an HA test which fails because the test set up needs to be updated (the way popen starts the replicas, they do not have permission to access the encryption keys set up by the original congress instance. See this output for more detail: http://logs.openstack.org/35/487235/3/check/gate-congress-dsvm-api-mysql-ubuntu-xenial/f53656f/testr_results.html.gz (OSError: [Errno 13] Permission denied: '/etc/congress/keys/aes_key') Change-Id: I49a71bb398383f93cd2ea93e054a9a27a45c4660
17 lines
684 B
YAML
17 lines
684 B
YAML
---
|
|
prelude: >
|
|
upgrade:
|
|
- A new config option `encryption_key_path` has been added to the DEFAULT
|
|
section to specify the path to the directory containing encryption keys for
|
|
encrypting secret fields in datasource config. The default value
|
|
(/etc/congress/keys) works for most deployments. A new key will be
|
|
automatically generated and placed in the directory specified by the
|
|
config option.
|
|
|
|
security:
|
|
- Secret fields in datasource configuration are now encrypted using Fernet
|
|
(AES-128 CBC; HMAC-SHA256).
|
|
Existing datasources are unaffected. To encrypt the secret
|
|
fields of existing datasources, simply delete and re-add after Congress
|
|
upgrade.
|