Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-1878

Support SecretBox crypto - OCP 4 Etcd Encryption - API Server

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Major Major
    • None
    • None
    • etcd
    • False
    • False
    • 0
    • 0% 0%
    • Undefined

      Proposed title of this feature request:

      To be able to encrypt ETCD with SecretBox

      What is the nature and description of the request? 

      To be able to use more than one encryption in etcd, as currently, only aescbc is supported.

      Why does the customer need this? (List the business requirements here)

       

      AES-CBC does not authenticate data and is known to be vulnerable to padding oracle attacks. While these are not currently feasible attacks against Kubernetes, CBC is risky and a strictly worse option than Secretbox and KMS

      {{}}

      Similar use case for KMS: https://issues.redhat.com/browse/RFE-1783

      List any affected packages or components.

      • etcd & apiserver.

            anachand Anandnatraj Chandramohan (Inactive)
            rhn-support-dahernan David Hernandez Fernandez
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: