APIs are great to leverage automation, scripts and advanced tools in order to consume a service. As cloud purist, we deem it essential to our product line. This article touches on the security issues raised by API access.

API keys vs password

exoscale supports an API endpoint with a separate set of credentials. Each user, along with his email and password is provided with:

  • An API key: a long (80+) random string, used to identify the account.
  • A secret key: an associated long string, used to symmetrically sign all request to the API.

Each API request then includes a HMAC-SHA1 digest of its arguments, computed with the above keys. API keys and secret keys are generated with strong pseudo random number generators (PRNGs) to ensure good key security. API requests are then transmitted over a secure HTTPS channel to ensure confidentiality and avoid replay attacks.

A word on revocation

Even with all these measures in place, keys can still be compromised, through such unfortunate events as laptop theft for instance. In that case, we took a page from the SSL and x.509 book and implemented programmable key revocation:

Reset API Keys

Within the exoscale console, it is possible to reset your API keys from the account details section.

With exoscale it is possible to reset your API keys from your account details. Therefore, whatever your situation, your cloud IaaS security can be properly controlled.

To further enhance security we are working on additional features, first in line will be 2-factor auth and perfect forward secrecy support.