Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-3095

Looking for ETCD sensitive data encryption to be able to use AES-GCM in place or in addition to AESBC.


    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Major Major
    • None
    • None
    • etcd
    • False
    • None
    • False
    • Not Selected

      1. Proposed title of this feature request: The ETCD sensitive data encryption to use both aesgcm in place of/ in addition to aescbc.

      2. What is the nature and description of the request?

      In this doc: https://docs.openshift.com/container-platform/4.8/security/encrypting-etcd.html

      We see only 'aesbc' encryption type is present. 

      Also, in this openshift/api yaml;


      there are two values accepted by the api - aesbc & identity

      Cu is asking for the AES_GCM cipher to be used when applying encryption.

      In short,  they are requiring ETCD database encryption to be updated to use  both aesgcm in place of/ in addition to aescbc.

      3. Why does the customer need this? (List the business requirements here).

      Currently, the the etcd encryption uses the AESBC encryption which is not accepted by the cu's cryptographic standards. 

      They are wanting AES-256-GCM encryption as per same standards. Their application will be blocked into going to production if the cryptographic standards are not followed. 

      4. List any affected packages or components.

      None that we know of as yet. 

            wcabanba@redhat.com William Caban
            rhn-support-ndabhi Nirali Rajendra Dabhi
            1 Vote for this issue
            10 Start watching this issue