Clint Byrum <cl...@fewbar.com> writes: > Excerpts from Matthieu Huin's message of 2017-03-21 18:43:49 +0100: >> Hello James, >> >> Thanks for opening the discussion on this topic. I'd like to mention that a >> very common type of secrets that are used in Continuous Deployments >> scenarios are SSH keys. Correct me if I am wrong, but PKCS#1 wouldn't >> qualify if standard keys were to be stored. > > You could store a key, just not a 4096 bit key. > > PKCS#1 has a header/padding of something like 12 bytes, and then you > need a hash in there, so for SHA1 that's 160 bits or 20 bytes, SHA256 > is 256 bites so 32 bytes. So with a 4096 bit (512 bytes) Zuul key, you > can encrypt 480 bytes of plaintext, or 468 with sha256. That's enough > for a 3072 bit (384 bytes) SSH key. An uncommon size, but RSA says' > they're good past 2030: > > https://www.emc.com/emc-plus/rsa-labs/historical/twirl-and-rsa-key-size.htm > > It's a little cramped, but hey, this is the age of tiny houses, maybe we > should make do with what we have.
There is that option, the option of adding another encryption system capable of storing larger keys, or this third option: Because we wanted continuous deployment to be a first-class feature in Zuul v3, we added this section of the spec which specifies that Zuul should have a number of keys automatically available for use in a CD system: http://specs.openstack.org/openstack-infra/infra-specs/specs/zuulv3.html#continuous-deployment We haven't started implementing that yet, and it probably needs a little bit of updating before we do, but I think the fundamental idea is still sound and could be accomplished. -Jim __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev