Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-13428

Security: provide keystore_password_file and truststore_password_file options

Agile BoardAttach filesAttach ScreenshotBulk Copy AttachmentsBulk Move AttachmentsAdd voteVotersWatch issueWatchersCreate sub-taskConvert to sub-taskMoveLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Normal
    • Resolution: Unresolved
    • None
    • None

    Description

      Currently passwords are stored in plaintext in the configuration file as in:

          server_encryption_options:
            keystore_password: secret
            truststore_password: secret
          client_encryption_options:
            keystore_password: secret
      

      This has the disadvantage that, in order to protect the secrets, the whole configuration file needs to have restricted ownership and permissions. This is problematic in operating systems like NixOS where configuration files are usually stored in world-readable locations.

      A secure option would be to store secrets in files (with restricted ownership and permissions) and reference those files from the unrestricted configuration file as in for example:

          server_encryption_options:
            keystore_password_file: /run/keys/keystore-password
            truststore_password_file: /run/keys/truststore-password
          client_encryption_options:
            keystore_password_file: /run/keys/keystore-password
      

      This is trivial to implement and provides a big gain in security.

      So in summary I'm proposing to add the keystore_password_file and truststore_password_file options besides the existing keystore_password and truststore_password options. The former will take precedence over the latter.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            maulin.vasavada Maulin Vasavada Assign to me
            basvandijk Bas van Dijk
            Maulin Vasavada

            Dates

              Created:
              Updated:

              Time Tracking

                Estimated:
                Original Estimate - 3h
                3h
                Remaining:
                Remaining Estimate - 3h
                3h
                Logged:
                Time Spent - Not Specified
                Not Specified

                Slack

                  Issue deployment