[EPIC] As a user, I can rest easy with all sensitive credentials in the database encrypted at rest
Pulp stores sensitive credentials, e.g. password for Basic Auth, proxy password, or client key for client certificate based authentication in the database in plaintext. The authentication and authorization mechanisms of Pulp keep these safe, but if the database itself was compromised, or dumped, those secrets would be readable to anyone with a copy.
Encrypt these credentials when they live in the database and decrypt them when they are used. This encryption would use symmetric encryption with a key stored on the filesystem that is generated at install time. A good option would be Fernet symmetric key encryption from the
Related to Story on Removing Secrets from API Response
The scope of the fields that are encrypted should be the same as those that are no longer returned in the API due to sensitivity. See Story 8202 for the list of fields.
The private key will need to be generated at install time. We need to determine where to keep these by default securely. They need to be readable by code without a human involved.
#18 Updated by firstname.lastname@example.org about 2 months ago
The filepath will be: /etc/pulp/certs/database_fields.symmetric.key as the default path or fixed path for installer / container / operator.
We agreed (at a pulp_installer meeting I think) that the pulp certs directory would be used, since private keys for certs are kept under there, and it needs similar permissions.
We didn't agree on a filename, but we were thinking of ending with .symmetric.key ( .key is the suffix for private keys for certs.)
Please register to edit this issue