Credential key repository is empty.

After configuring keystone to use the Fernet credential provider, you should use keystone-manage credential_setup to initially populate your key repository with keys, and periodically rotate your keys with keystone-manage credential_rotate.[source]

Key repositories for encryption should be unique.

Even though credentials are encrypted using the same mechanism as Fernet tokens, they should have key repository locations that are independent of one another. Using the same repository to encrypt credentials and tokens can be considered a security vulnerability because ciphertext from the keys used to encrypt credentials is exposed as the token ID. Sharing a key repository can also lead to premature key removal during key rotation. This could result in indecipherable credentials, rendering them completely useless, or early token invalidation because the key that was used to encrypt the entity has been deleted.

Ensure keystone.conf [credential] key_repository and keystone.conf [fernet_tokens] key_repository are not pointing to the same location.[source]

Credential key repository is not setup correctly.

The credential Fernet key repository is expected to be readable by the user running keystone, but not world-readable, because it contains security sensitive secrets.