[
https://issues.apache.org/jira/browse/CASSANDRA-21153?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
BHARATH KUMAR updated CASSANDRA-21153:
--------------------------------------
Description:
h4. Background
Cassandra previously stored keystore and truststore passwords directly in
{{{}cassandra.yaml{}}}, which posed operational security risks because
sensitive data was present in config files.
CASSANDRA-13428 addressed part of this risk by adding
{{keystore_password_file}} and {{truststore_password_file}} options, allowing
passwords to be read from secure files rather than embedded directly in the
configuration.
While this reduces exposure from plaintext passwords in config files, it still
requires secret material to exist on disk and be managed at the operating
system level.
h4. Enhancement Request
Extend Cassandra’s existing secure configuration capabilities (including the
improvements from CASSANDRA-13428) to support external secret manager
integration, enabling keystore and truststore passwords to be resolved at
runtime from centralized secret stores rather than from local files.
was:
h4. Background
Cassandra previously stored keystore and truststore passwords directly in
{{{}cassandra.yaml{}}}, which posed operational security risks because
sensitive data was present in config files.
CASSANDRA-13428 addressed part of this risk by adding
{{keystore_password_file}} and {{truststore_password_file}} options, allowing
passwords to be read from secure files rather than embedded directly in the
configuration.
While this reduces exposure from plaintext passwords in config files, it still
requires secret material to exist on disk and be managed at the operating
system level.
h4. Enhancement Request
Extend Cassandra’s existing secure configuration capabilities (including the
improvements from CASSANDRA-13428) to support external secret manager
integration, enabling keystore and truststore passwords to be resolved at
runtime from secret backends rather than from local files.
> Security Enhancement: Support External Secret Manager Integration for SSL
> Keystore/Truststore Passwords in Cassandra.yaml
> -------------------------------------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-21153
> URL: https://issues.apache.org/jira/browse/CASSANDRA-21153
> Project: Apache Cassandra
> Issue Type: Improvement
> Components: Feature/Encryption, Local/Config
> Reporter: BHARATH KUMAR
> Priority: Normal
>
> h4. Background
> Cassandra previously stored keystore and truststore passwords directly in
> {{{}cassandra.yaml{}}}, which posed operational security risks because
> sensitive data was present in config files.
> CASSANDRA-13428 addressed part of this risk by adding
> {{keystore_password_file}} and {{truststore_password_file}} options, allowing
> passwords to be read from secure files rather than embedded directly in the
> configuration.
> While this reduces exposure from plaintext passwords in config files, it
> still requires secret material to exist on disk and be managed at the
> operating system level.
> h4. Enhancement Request
> Extend Cassandra’s existing secure configuration capabilities (including the
> improvements from CASSANDRA-13428) to support external secret manager
> integration, enabling keystore and truststore passwords to be resolved at
> runtime from centralized secret stores rather than from local files.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
