You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@kudu.apache.org by "Attila Bukor (Jira)" <ji...@apache.org> on 2023/02/09 11:23:00 UTC

[jira] [Created] (KUDU-3448) Store IPKI and TSK key material encrypted

Attila Bukor created KUDU-3448:
----------------------------------

             Summary: Store IPKI and TSK key material encrypted
                 Key: KUDU-3448
                 URL: https://issues.apache.org/jira/browse/KUDU-3448
             Project: Kudu
          Issue Type: Improvement
            Reporter: Attila Bukor


Key material for IPKI TLS and TSK should be stored on disk securely, even when user data is not encrypted. The symmetric encryption key should be derived from a password using PBKDF2 which is a FIPS-approved KDF. The masters should have a flag that expects a command which outputs the password (similar to {{{}--webserver_private_key_password_cmd{}}}), that way the users can integrate with a HSM or choose another way to provide the password securely without storing it on a disk.

Generating new keys or encrypting existing key material is outside the scope of this ticket.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)