File: keymaster.conf-sample

package info (click to toggle)
swift 2.19.1-1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 16,768 kB
  • sloc: python: 197,574; sh: 636; pascal: 253; makefile: 69; xml: 32
file content (96 lines) | stat: -rw-r--r-- 4,606 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
 
[keymaster]
# Sets the root secret from which encryption keys are derived. This must be set
# before first use to a value that is a base64 encoding of at least 32 bytes.
# The security of all encrypted data critically depends on this key, therefore
# it should be set to a high-entropy value. For example, a suitable value may
# be obtained by base-64 encoding a 32 byte (or longer) value generated by a
# cryptographically secure random number generator. Changing the root secret is
# likely to result in data loss. If this option is set, the root secret MUST
# NOT be set in proxy-server.conf.
# encryption_root_secret = changeme

[kms_keymaster]
# The kms_keymaster section is used for configuring a keymaster that retrieves
# the encryption root secret from an external key management system (kms),
# using the Castellan abstraction layer. Castellan can support various kms
# backends that use Keystone for authentication. Currently, the only
# implemented backend is for Barbican.

# The api_class tells Castellan which key manager to use to access the external
# key management system. The default value that accesses Barbican is
# castellan.key_manager.barbican_key_manager.BarbicanKeyManager.
# api_class = castellan.key_manager.barbican_key_manager.BarbicanKeyManager

# The configuration options below apply to a Barbican KMS being accessed using
# Castellan. If another KMS type is used (by specifying another value for
# api_class), then other configuration options may be required.

# The key_id is the identifier of the root secret stored in the KMS. For
# details of how to store an existing root secret in Barbican, or how to
# generate a new root secret in Barbican, see the 'overview_encryption'
# documentation.
# The key_id is the final part of the secret href returned in the
# output of an 'openstack secret order get' command after an order to store or
# create a key has been successfully completed. See the 'overview_encryption'
# documentation for more information on this command.
# key_id = changeme

# The Keystone username of the user used to access the key from the KMS. The
# username shall be set to match an existing user.
# username = changeme

# The password to go with the Keystone username above.
# password = changeme

# The Keystone project name. For security reasons, it is recommended to set
# the project_name to a project separate from the service project used by
# other OpenStack services. Thereby, if another service is compromised, it will
# not have access to the Swift root encryption secret. It is recommended that
# the swift user is the only one that has a role in this project.
# project_name = changeme
# Instead of the project name, the project id may also be used.
# project_id = changeme

# The Keystone URL to authenticate to. The value of auth_endpoint may be
# set according to the value of www_authenticate_uri in [filter:authtoken] in
# proxy-server.conf.
# auth_endpoint = http://keystonehost/identity

# The project and user domain names may optionally be specified. If they are
# not specified, the default values of 'Default' (for *_domain_name) and
# 'default' (for *_domain_id) are used (note the capitalization).
# project_domain_name = Default
# user_domain_name = Default
# Instead of the project domain name and user domain name, the project domain
# id and user domain id may also be specified.
# project_domain_id = default
# user_domain_id = default

# The following configuration options may also be used in addition to/instead
# of the above options. Refer to the Keystone documentation for more details
# on the usage of the options: https://docs.openstack.org/keystone/
# user_id = changeme
# trust_id = changeme
# reauthenticate = changeme
# domain_id = changeme
# domain_name = changeme

[kmip_keymaster]
# The kmip_keymaster section is used to configure a keymaster that fetches an
# encryption root secret from a KMIP service.

# The value of the ``key_id`` option should be the unique identifier for a
# secret that will be retrieved from the KMIP service. The secret should be an
# AES-256 symmetric key.
# key_id = <unique id of secret to be fetched from the KMIP service>

# The remaining options are used to configure a PyKMIP client and are shown
# below for information. The authoritative definition of these options can be
# found at: https://pykmip.readthedocs.io/en/latest/client.html.
# host = <KMIP server host>
# port = <KMIP server port>
# certfile = /path/to/client/cert.pem
# keyfile = /path/to/client/key.pem
# ca_certs = /path/to/server/cert.pem
# username = <KMIP username>
# password = <KMIP password>