Support Credential Encryption

bp credential-encryption

Support encryption of credentials in Keystone to avoid having them stored in plain text in the backend.

Problem Description

Large organizations have security compliance that requires credentials to not be stored in plain text. Credentials in Keystone are currently being stored in the backend and are accessible to anyone with access to the backend. If a backend is compromised by an attacker they can easily get the credentials for any user. Also, anyone within an organization can look at the credentials in the backend bypassing any security access controls offered by Keystone.

Proposed Change

Update the credentials driver to support encryption of the blob field in the credential table. Given that there are viable secret providers out there (Barbican, cryptography, etc) The choice of encryption solution should be pluggable. A single key will be used to encrypt the credentials. Key management will be facilitated by allowing two active keys for decryption and a single active key for encryption. All credentials will be encrypted. Key rotation will be done side band. Keys are deployment wide.



Security Impact

Improved security of confidential information.

Notifications Impact


Other End User Impact


Performance Impact

Encryption will decrease performance.

Other Deployer Impact

Deployers will need to manage the keys. Keys will initially be stored in configuration files. This will require a small amount of effort to setup.

Developer Impact




Primary assignee:

werner.mendizabal (Werner Mendizabal <>)

Work Items

  • Update credentials driver to support encryption.

  • Document upgrade process and how to enable encryption.

  • Write keystone-manage command to encrypt existing credentials. If deployer has not specified encryption keys, migration will not re-encrypt the credentials.

  • Write tests to verify functionality.


  • cryptography library for encryption. Fernet will be the default encryption plugin.

Documentation Impact

  • Documentation should be updated to reflect configuration changes.


  • None