Secret Store¶
General concept¶
Using our secret store, you are able to give the platform access to secrets such as certificates and keys in a secure manner.
We support different secret formats and also incorporate ACLs (Access Control Lists) allowing you to give certain API-user access to secrets while withholding access for other users.
Here are some examples of secrets that you can store in our secret store:
Symmetric Keys - Used to perform reversible encryption of data at rest, typically using the AES algorithm set. This is a required type to enable features such as encrypted Swift containers and Cinder volumes, encrypted Cloud Backups and so on.
Asymmetric Keys - Asymmetric key pairs (sometimes referred to as public / private keys) has many use-cases, in most scenarios it’s used for securing communication between parties. The most common case is with SSL/TLS certificates.
Raw Secrets - Barbican stores secrets as a base64 encoded block of data (that is then stored encrypted).
Some of the services in the platform that consume secrets are:
Object Storage - To encrypt objects in the object store.
Load Balancer - To manage Octavia HTTPS enabled LB certificate-key pairs.
Storage - To encrypt volumes and snapshots.
Compute - To use encrypt volumes and snapshots to create instances.
Secrets¶
Secrets represent keys, credentials, and other sensitive data stored by the secret store service. The secret service supports operations such as:
Listing secrets.
Controlling access to secrets by setting up ACLs (Access Control Lists).
Deletion of secret.
Decryption of secrets.
Note
Secrets are only manageable via the Cloud management portal and via OpenStack Terminal Client. No integration in OpenStack Horizon is currently available.