6:24 a.m.
Currently we recommend encrypting credentials at the database layer, but
this is not well documented. It is also not a trivial thing to achieve and
may have performance implications.
With that in mind we are planning to introduce a secure credentials store.
It's very early days, but one thing is certain and that is we will
introduce a Vault SPI to allow plug-ability.
To join the discussion read the initial notes around the subject here
https://github.com/keycloak/keycloak-community/blob/master/design/secure-...
7:48 a.m.
Hi Stian,
Remember that in EAP 7.1+ there is a new credential-store, vault is
considered legacy [1]. Think about using the credential-store API
instead of the vault.
Regards.
[1]
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_ap...
On 5/27/19 1:24 PM, Stian Thorgersen wrote:
Currently we recommend encrypting credentials at the database layer,
but
this is not well documented. It is also not a trivial thing to achieve and
may have performance implications.
With that in mind we are planning to introduce a secure credentials store.
It's very early days, but one thing is certain and that is we will
introduce a Vault SPI to allow plug-ability.
To join the discussion read the initial notes around the subject here
https://github.com/keycloak/keycloak-community/blob/master/design/secure-...
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:38 a.m.
The Vault SPI we provide will be a Keycloak specific API and will not have
anything to do with APIs provided by EAP. We may provide a provider that
integrates with EAP credential-store, but that is also probably unlikely
due to most likely moving away from EAP in the future we don't want to tie
to much to the underlying container.
On Mon, 27 May 2019 at 14:48, Ricardo Martin Camarero <rmartinc(a)redhat.com>
wrote:
Hi Stian,
Remember that in EAP 7.1+ there is a new credential-store, vault is
considered legacy [1]. Think about using the credential-store API
instead of the vault.
Regards.
[1]
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_ap...
On 5/27/19 1:24 PM, Stian Thorgersen wrote:
> Currently we recommend encrypting credentials at the database layer, but
> this is not well documented. It is also not a trivial thing to achieve
and
> may have performance implications.
>
> With that in mind we are planning to introduce a secure credentials
store.
> It's very early days, but one thing is certain and that is we will
> introduce a Vault SPI to allow plug-ability.
>
> To join the discussion read the initial notes around the subject here
>
https://github.com/keycloak/keycloak-community/blob/master/design/secure-...
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
2420
days inactive
2420
days old
2 comments
2 participants
participants (2)
-
Ricardo Martin Camarero -
Stian Thorgersen