Decrypt and display VM generated password

Registered by Cédric Soulas

Use Case

I launch an instance, choosing a Windows image and a pub key:
- on VM boot, Windows generates a random password for the Admin session
- the password is encrypted with the pub key and sent to the metadata server (for example with cloudbase-init)
- I can already retrieve this admin password via API with: nova get-password <VM-id> <Private-key>

Horizon Blueprint: "Being able to display and decrypt this password on Horizon"

- A popup display the encrypted password
- The user has to provide its private key to decrypt this password
- The private key should not transit over the network and being proceeded on the server side
- The private key should be used on the client side (any JS lib available for decryption? Use of HTML 5 FIle API / FileReader?)
- The password may not be available immediately after the launch of the instance (have to wait the VM to boot and generate the password)
- Several ways to provide the private key: copy and past inside an input, "browse > select a file", drag & drop
- Should be inspired by the way Amazon does this (either for the internal client side processing - if it does - and for UX aspects): more details to be sent later

Blueprint information

David Lyle
Cédric Soulas
Needs approval
Ala Rezmerita
Series goal:
Accepted for icehouse
Milestone target:
milestone icon 2014.1
Started by
Cédric Soulas
Completed by
David Lyle

Related branches



Gerrit topic:,topic:bp/decrypt-and-display-vm-generated-password,n,z

Addressed by:
    Decrypt and display VM generated password

The demos are available here:

1. Windows instance :
2. Ubuntu instance :

In order to test "Retrieve password" on devstack with Linux instances:
0. Checkout horizon review
1. boot an instance
2. once connected on the instance do:
#curl --silent --fail > my_ssh_key; ssh-keygen -e -f my_ssh_key -m PKCS8 > my_ssl_key
#PASSWORD=`openssl rand -base64 48 | tr -d '/+' | cut -c1-10`
#ENCRYPTED=`echo "$PASSWORD" | openssl rsautl -encrypt -pubin -inkey my_ssl_key -keyform PEM | openssl base64 -e -A`
#curl --silent --fail
3.Use horizon in order to retrieve the password

[jpichon 2014.03.03] Adding missing milestone + assigning correct owner

[jpichon 2014.03.05] Per discussion on #openstack-dev, the patch is close and has seen several round of reviews including from cores and someone from the security team. The Selenium tests can be pulled out and the related issues resolved in a separate patch.

Addressed by:
    Add selenium tests to instance Retrieve Password action

Addressed by:
    Add unit tests to instance Retrieve Password action


Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.