You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@kudu.apache.org by "Attila Bukor (Jira)" <ji...@apache.org> on 2023/02/09 11:23:00 UTC
[jira] [Created] (KUDU-3448) Store IPKI and TSK key material encrypted
Attila Bukor created KUDU-3448:
----------------------------------
Summary: Store IPKI and TSK key material encrypted
Key: KUDU-3448
URL: https://issues.apache.org/jira/browse/KUDU-3448
Project: Kudu
Issue Type: Improvement
Reporter: Attila Bukor
Key material for IPKI TLS and TSK should be stored on disk securely, even when user data is not encrypted. The symmetric encryption key should be derived from a password using PBKDF2 which is a FIPS-approved KDF. The masters should have a flag that expects a command which outputs the password (similar to {{{}--webserver_private_key_password_cmd{}}}), that way the users can integrate with a HSM or choose another way to provide the password securely without storing it on a disk.
Generating new keys or encrypting existing key material is outside the scope of this ticket.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)