Excuse me interrupting but couldn't you treat the key as largely ephemeral, pull it down from Barbican, start the OpenVPN process and then purge the key? It would of course still be resident in the memory of the OpenVPN process but should otherwise be protected against filesystem disk-residency issues.
> -----Original Message----- > From: Nachi Ueno [mailto:na...@ntti3.com] > Sent: 01 May 2014 17:36 > To: OpenStack Development Mailing List (not for usage questions) > Subject: Re: [openstack-dev] [Neutron] SSL VPN Implemenatation > > Hi Jarret > > IMO, Zang point is the issue saving plain private key in the filesystem for > OpenVPN. > Isn't this same even if we use Barbican? > > > > > > 2014-05-01 2:56 GMT-07:00 Jarret Raim <jarret.r...@rackspace.com>: > > Zang mentioned that part of the issue is that the private key has to > > be stored in the OpenVPN config file. If the config files are > > generated and can be stored, then storing the whole config file in > > Barbican protects the private key (and any other settings) without > > having to try to deliver the key to the OpenVPN endpoint in some non- > standard way. > > > > > > Jarret > > > > On 4/30/14, 6:08 PM, "Nachi Ueno" <na...@ntti3.com> wrote: > > > >>> Jarret > >> > >>Thanks! > >>Currently, the config will be generated on demand by the agent. > >>What's merit storing entire config in the Barbican? > >> > >>> Kyle > >>Thanks! > >> > >>2014-04-30 7:05 GMT-07:00 Kyle Mestery > <mest...@noironetworks.com>: > >>> On Tue, Apr 29, 2014 at 6:11 PM, Nachi Ueno <na...@ntti3.com> > wrote: > >>>> Hi Clint > >>>> > >>>> Thank you for your suggestion. Your point get taken :) > >>>> > >>>>> Kyle > >>>> This is also a same discussion for LBaaS Can we discuss this in > >>>> advanced service meeting? > >>>> > >>> Yes! I think we should definitely discuss this in the advanced > >>> services meeting today. I've added it to the agenda [1]. > >>> > >>> Thanks, > >>> Kyle > >>> > >>> [1] > >>>https://wiki.openstack.org/wiki/Meetings/AdvancedServices#Agenda_f > or_ > >>>next > >>>_meeting > >>> > >>>>> Zang > >>>> Could you join the discussion? > >>>> > >>>> > >>>> > >>>> 2014-04-29 15:48 GMT-07:00 Clint Byrum <cl...@fewbar.com>: > >>>>> Excerpts from Nachi Ueno's message of 2014-04-29 10:58:53 -0700: > >>>>>> Hi Kyle > >>>>>> > >>>>>> 2014-04-29 10:52 GMT-07:00 Kyle Mestery > <mest...@noironetworks.com>: > >>>>>> > On Tue, Apr 29, 2014 at 12:42 PM, Nachi Ueno > <na...@ntti3.com> > >>>>>>wrote: > >>>>>> >> Hi Zang > >>>>>> >> > >>>>>> >> Thank you for your contribution on this! > >>>>>> >> The private key management is what I want to discuss in the > >>>>>>summit. > >>>>>> >> > >>>>>> > Has the idea of using Barbican been discussed before? There are > >>>>>>many > >>>>>> > reasons why using Barbican for this may be better than > >>>>>> > developing > >>>>>>key > >>>>>> > management ourselves. > >>>>>> > >>>>>> No, however I'm +1 for using Barbican. Let's discuss this in > >>>>>> certificate management topic in advanced service session. > >>>>>> > >>>>> > >>>>> Just a suggestion: Don't defer that until the summit. Sounds like > >>>>>you've already got some consensus, so you don't need the summit > >>>>>just to rubber stamp it. I suggest discussing as much as you can > >>>>>right now on the mailing list, and using the time at the summit to > >>>>>resolve any complicated issues including any "a or b" things that > >>>>>need crowd-sourced idea making. You can also use the summit time > >>>>>to communicate your requirements to the Barbican developers. > >>>>> > >>>>> Point is: just because you'll have face time, doesn't mean you > >>>>> should use it for what can be done via the mailing list. > >>>>> > >>>>> _______________________________________________ > >>>>> OpenStack-dev mailing list > >>>>> OpenStack-dev@lists.openstack.org > >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >>>> > >>>> _______________________________________________ > >>>> OpenStack-dev mailing list > >>>> OpenStack-dev@lists.openstack.org > >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >>> > >>> _______________________________________________ > >>> OpenStack-dev mailing list > >>> OpenStack-dev@lists.openstack.org > >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >> > >>_______________________________________________ > >>OpenStack-dev mailing list > >>OpenStack-dev@lists.openstack.org > >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > _______________________________________________ > > OpenStack-dev mailing list > > OpenStack-dev@lists.openstack.org > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
