Hi! I work on OpenStack Keystone. We use Fernet keys for our tokens. A token is a basically a tuple encrypted with fernet key.
Fernet keys need to be rotated once in a while. Now we store them on disk. But it is problematic to rotate them in containers, because containers are supposed to be immutable. So idea of key storages came up. For example, we could store the keys in a database. Or in OpenStack Barbican, which is a REST API designed for the secure storage, provisioning and management of secrets such as encryption keys. Or in Custodia, https://github.com/latchset/custodia However, it doesn't sound like this should be in Keystone. It is not keystone-specific and all Fernet keys users will probably benefit of that. What do you think about adding this sort of functionality to cryptography? The idea is to define an abstract class in cryptography for a storage. An instance of storage will be passed to MultiFernet, which will read the keys from there, create individual instances of fernet.Fernet and perform all the usual stuff. Storage classes can be implemented inside cryptography or outside of it. What do you think about this? _______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
