​

Store key into DB

Store key in File (with permission 0600)

Who can see the key

neutron process

neutron db user

rabbitmq user

neutron process

neutron process user

rabbitmq user

Pros

Neutron server is stateless.

if the attacker have asscess to the db, so he can update CA certificate for MITM attack.

We can use file based permission

Cons

db user can read key

(But is this really different from file permission based security if we limit neutron db user ?)

This change make neutron server statefull. You can use NFS but this is insecure solution.

​