Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-3338

Allow user to choose etcd encryption cipher


    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Blocker Blocker
    • None
    • None
    • API
    • False
    • None
    • False
    • Etcd
    • Not Selected

      1. Proposed title of this feature request
      Allow user to choose etcd encryption cipher

      2. What is the nature and description of the request?

      Extend the list of supported ciphers in OCP, and allow customer to pick and choose from it to encrypt etcd.

      Currently customer is stuck with AES-CBC, which is not considered secured by Kubernetes documentation. 

      3. Why does the customer need this? (List the business requirements here)

      Currently OCP only allows etcd to be encrypted using AES-CBC cipher, which recently has been recommended not to use by Kubernetes documentation "encryption with aescbc is not recommended due to CBC's vulnerability to padding oracle attacks.”.

      4. List any affected packages or components.



      Mind this RFE has been opened with a broad scope to either decide to support the same ciphers vanilla K8s supports or for the team to pick and choose which of those wants to provide as options in OCP.


            anachand Anandnatraj Chandramohan (Inactive)
            rh-ee-masimonm Maria Simon Marcos
            0 Vote for this issue
            6 Start watching this issue