Encrypted Messages in Queue

https://blueprints.launchpad.net/zaqar/+spec/encrypted-messages-in-queue

The queue in Zaqar will support to encrypt messages before storing them into storage backends, also could support to decrypt (or not) messages when those are claimed by consumer. This feature will enhance the security of messaging service.

Problem description

Currently, Zaqar can’t encrypt any messages and just store those messages into storage backends. That’ll bring some security issues like information leakage or hacker attack.

Proposed change

  1. Add one new metadata in queue object that will indicate how to encrypt messages:

  2. “_enable_encrypt_messages=true/false” : this will tell Zaqar whether encrypt messages before storing them into backends or not.

  1. Support to use algorithms to encrypt messages in transport layer before storing them into backends. In V cycle, Zaqar may just support the global key for encryption and decryption, and it will be held by Zaqar service. Users don’t need to encrypt/decypt message by themselves.

  2. Go a step further, Zaqar also could support to let user upload their public key and hold the private key by themselves. In this case, Zaqar just need to encrypt the message by using public key and return the encrypted messages to user.

  3. About the algorithms, in V cycle, Zaqar will introduce the AES-256 encryption at first. In next cycles, Zaqar can suppot asymmetric encryption to let user upload public key and keep the private key by their own.

Note

About the option of encryption algorithms and keys, Zaqar would support specify them throught more metadatas of queues, but it will be done in next serveral cycles. In Victoria, we will choose one algorithm (like AES256) to support and support to storage the keys by Zaqar itself or other service like Barbican.

API Impact

Create queue list:

POST: /v2/queues/queue_name

  RESPONSE CODE: 200
  REQUEST BODY:
  {
    "_enable_encrypt_messages": true
  }

Drawbacks

The ecryption algorithms will impact the performance of storing messages into backends and getting the messages from the queue.

This depends on which kind of encryption algorithms we choose and support.

Alternatives

None

Implementation

Assignee(s)

Primary assignee:

wanghao <sxmatch1986@gmail.com>

Secondary assignee:

None

Milestones

Target Milestone for completion:

victoria M-2

Work Items

  1. Modify api and transport code.

  2. Add support for encryption algorithm and key management.

  3. Add release note for this feature.

  4. Update API reference.

  5. Change unit, functional and tempest tests accordingly.

  6. Add client support.

Dependencies

None

References

None