cf-dev@lists.cloudfoundry.org | Changing CF Encryption Keys (was Re: Re: Re: Re: Cloud Controller - s3 encryption for droplets)

Home Messages Hashtags Subgroups

Date Date 1 - 3 of 3

Changing CF Encryption Keys (was Re: Re: Re: Re: Cloud Controller - s3 encryption for droplets)

Sandy Cash Jr <lhcash@...> #2910 Hi Dieu, I created https://github.com/cloudfoundry/cloud_controller_ng/issues/465 for this. See if that covers what you envision re: scope, etc., and let me know if you think additional details are needed before I submit any PRs. Thanks, -Sandy -- Sandy Cash Certified Senior IT Architect/Senior SW Engineer IBM BlueMix lhcash(a)us.ibm.com (919) 543-0209 "I skate to where the puck is going to be, not to where it has been.” - Wayne Gretzky From: Dieu Cao <dcao(a)pivotal.io> To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org> Date: 11/13/2015 12:54 PM Subject: [cf-dev] Re: Changing CF Encryption Keys (was Re: Re: Re: Re: Cloud Controller - s3 encryption for droplets) Hi Sandy, Yes, I'm happy to help work through requirements on these via a github issue in support of PRs to follow through on implementation. -Dieu CF CAPI PM toggle quoted message Show quoted text On Fri, Nov 13, 2015 at 6:44 AM, Sandy Cash Jr <lhcash(a)us.ibm.com> wrote: Hi, I'm not sure what strategies exist either. This same topic came up partially in the context of my resubmitted FIPS proposal, and I was curious - is it worth creating an issue (or even a separate feature proposal/blueprint) for tooling to rotate encryption keys? It's nontrivial (unless there is tooling about which I am unaware) to do, and a good solution in this space would IMHO fill a significant operational need. Thoughts? -Sandy -- Sandy Cash Certified Senior IT Architect/Senior SW Engineer IBM BlueMix lhcash(a)us.ibm.com (919) 543-0209 "I skate to where the puck is going to be, not to where it has been.” - Wayne Gretzky Inactive hide details for Dieu Cao ---11/12/2015 02:19:53 PM---Hi William, Thanks for the links.Dieu Cao ---11/12/2015 02:19:53 PM---Hi William, Thanks for the links. From: Dieu Cao <dcao(a)pivotal.io> To: "Discussions about Cloud Foundry projects and the system overall." < cf-dev(a)lists.cloudfoundry.org> Date: 11/12/2015 02:19 PM Subject: [cf-dev] Re: Re: Re: Cloud Controller - s3 encryption for droplets Hi William, Thanks for the links. We don't have support for client side encryption currently. Cloud Controller and Diego's blobstore clients would need to be modified to encrypt and decrypt for client side encryption and I'm not clear what strategies exist for rotation of keys in these scenarios. If you're very interested in this feature and are open to working through requirements with me and submitting a PR, please open up an issue on github and we can discuss this further. -Dieu On Tue, Nov 10, 2015 at 4:16 PM, William C Penrod <wcpenrod(a)gmail.com> wrote: I first ran across it here: http://cloudfoundryjp.github.io/docs/running/bosh/components/blobstore.html and checked here for additional info: https://github.com/cloudfoundry/bosh/blob/master/blobstore_client/lib/blobstore_client/s3_blobstore_client.rb attachment.html
More All Messages By This Member
Dieu Cao <dcao@...> #2711 Hi Sandy, Yes, I'm happy to help work through requirements on these via a github issue in support of PRs to follow through on implementation. -Dieu CF CAPI PM toggle quoted message Show quoted text On Fri, Nov 13, 2015 at 6:44 AM, Sandy Cash Jr <lhcash(a)us.ibm.com> wrote: Hi, I'm not sure what strategies exist either. This same topic came up partially in the context of my resubmitted FIPS proposal, and I was curious - is it worth creating an issue (or even a separate feature proposal/blueprint) for tooling to rotate encryption keys? It's nontrivial (unless there is tooling about which I am unaware) to do, and a good solution in this space would IMHO fill a significant operational need. Thoughts? -Sandy -- Sandy Cash Certified Senior IT Architect/Senior SW Engineer IBM BlueMix lhcash(a)us.ibm.com (919) 543-0209 "I skate to where the puck is going to be, not to where it has been.” - Wayne Gretzky [image: Inactive hide details for Dieu Cao ---11/12/2015 02:19:53 PM---Hi William, Thanks for the links.]Dieu Cao ---11/12/2015 02:19:53 PM---Hi William, Thanks for the links. From: Dieu Cao <dcao(a)pivotal.io> To: "Discussions about Cloud Foundry projects and the system overall." < cf-dev(a)lists.cloudfoundry.org> Date: 11/12/2015 02:19 PM Subject: [cf-dev] Re: Re: Re: Cloud Controller - s3 encryption for droplets ------------------------------ Hi William, Thanks for the links. We don't have support for client side encryption currently. Cloud Controller and Diego's blobstore clients would need to be modified to encrypt and decrypt for client side encryption and I'm not clear what strategies exist for rotation of keys in these scenarios. If you're very interested in this feature and are open to working through requirements with me and submitting a PR, please open up an issue on github and we can discuss this further. -Dieu On Tue, Nov 10, 2015 at 4:16 PM, William C Penrod <wcpenrod(a)gmail.com <wcpenrod(a)gmail.com>> wrote: I first ran across it here: http://cloudfoundryjp.github.io/docs/running/bosh/components/blobstore.html <http://cloudfoundryjp.github.io/docs/running/bosh/components/blobstore.html> and checked here for additional info: https://github.com/cloudfoundry/bosh/blob/master/blobstore_client/lib/blobstore_client/s3_blobstore_client.rb <https://github.com/cloudfoundry/bosh/blob/master/blobstore_client/lib/blobstore_client/s3_blobstore_client.rb> attachment.html
More All Messages By This Member
Sandy Cash Jr <lhcash@...> #2706 Hi, I'm not sure what strategies exist either. This same topic came up partially in the context of my resubmitted FIPS proposal, and I was curious - is it worth creating an issue (or even a separate feature proposal/blueprint) for tooling to rotate encryption keys? It's nontrivial (unless there is tooling about which I am unaware) to do, and a good solution in this space would IMHO fill a significant operational need. Thoughts? -Sandy -- Sandy Cash Certified Senior IT Architect/Senior SW Engineer IBM BlueMix lhcash(a)us.ibm.com (919) 543-0209 "I skate to where the puck is going to be, not to where it has been.” - Wayne Gretzky From: Dieu Cao <dcao(a)pivotal.io> To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org> Date: 11/12/2015 02:19 PM Subject: [cf-dev] Re: Re: Re: Cloud Controller - s3 encryption for droplets Hi William, Thanks for the links. We don't have support for client side encryption currently. Cloud Controller and Diego's blobstore clients would need to be modified to encrypt and decrypt for client side encryption and I'm not clear what strategies exist for rotation of keys in these scenarios. If you're very interested in this feature and are open to working through requirements with me and submitting a PR, please open up an issue on github and we can discuss this further. -Dieu toggle quoted message Show quoted text On Tue, Nov 10, 2015 at 4:16 PM, William C Penrod <wcpenrod(a)gmail.com> wrote: I first ran across it here: http://cloudfoundryjp.github.io/docs/running/bosh/components/blobstore.html and checked here for additional info: https://github.com/cloudfoundry/bosh/blob/master/blobstore_client/lib/blobstore_client/s3_blobstore_client.rb attachment.html
More All Messages By This Member

1 - 3 of 3

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms