[openstack-dev] Barbican : What is the difference between secret and order resource

Asha Seshagiri asha.seshagiri at gmail.com
Fri Apr 17 18:02:36 UTC 2015 

Hi All,

 I would like to know if the keys generated  by Barbican through the order
resource are  encrypted using KEKS and then stored in the secret object or
is it stored in unencypted format.

Any help  would be highly appreciated.

root at barbican:~# curl -H 'Accept: application/json' -H 'X-Project-Id:12345'
http ://localhost:9311/v1/orders

Please find the command and response below :

{"total": 3, "orders": [{"status": "ACTIVE", "secret_ref":
"*http://localhost:9311/v1/secrets/b3709da7-4691-40d6-af9a-1ae23772a7b2
<http://localhost:9311/v1/secrets/b3709da7-4691-40d6-af9a-1ae23772a7b2>*",
"updated": "2015-03-13T22:27:48.866683", "meta": {"name": "secretname2",
"algorithm": "aes", "payload_content_type": "application/octet-stream",
"mode": "cbc", "bit_length": 256, "expiration": null}, "created":
"2015-03-13T22:27:48.844860", "type": "key", "order_ref": "
http://localhost:9311/v1/orders/5a4844ca-47a9-4bd7-ae56-fb84655f48d9"},....

root at barbican:~# curl -H 'Accept: application/json' -H 'X-Project-Id:12345'
http://localhost:9311/v1/secrets/b3709da7-4691-40d6-af9a-1ae23772a7b2
{"status": "ACTIVE", "secret_type": "opaque", "updated":
"2015-03-13T22:27:48.863403", "name": "secretname2", "algorithm": "aes",
"created": "2015-03-13T22:27:48.860600", "secret_ref": "
http://localhost:9311/v1/secrets/b3709da7-4691-40d6-af9a-1ae23772a7b2",
"content_types": {"default": "application/octet-stream"}, "expiration":
null, "bit_length": 256, "mode": "cbc"}


root at barbican:~#  curl -H 'Accept:application/octet-stream' -H
'X-Project-Id:12345'
http://localhost:9311/v1/secrets/b3709da7-4691-40d6-af9a-1ae23772a7b2
▒▒R▒v▒▒▒W▒4▒A?Md▒L[▒K4A▒▒bx▒▒▒   - >* would like to know if this response
is encyprted by barbican using KEKS or it is unencypted format whose
content type is application/octet-stream*


Thanks and Regards,
Asha Seshagiri

On Fri, Apr 17, 2015 at 11:30 AM, Asha Seshagiri <asha.seshagiri at gmail.com>
wrote:

> Thanks a lot  John for your response.
>
> I also thank everyone who has been responding to my queries if I have
> missed someone .
> There was  some problem while configuring my email .I do not receive the
> email response directly  from openstack Dev group.I would check the archive
> folder for that.
> I will have a look into it
>
> Once again , it's  nice working and collaborating with the openstack Dev
> -group.
>
> Thanks and Regards,
> Asha Seshagiri
>
>
>
>
>
>
>
>
>
>
>
> jh
>
>
>
> Thanks and Regards,
> Asha Seshagiri
>
> On Thu, Apr 16, 2015 at 8:10 AM, John Wood <john.wood at rackspace.com>
> wrote:
>
>>  Hello Asha,
>>
>>  The /v1/secrets resource is used to upload, encrypt and store your
>> secrets, and to decrypt and retrieve those secrets. Key encryption keys
>> (KEKs) internal to Barbican are used to encrypt the secret.
>>
>>  The /v1/orders resource is used when you want Barbican to generate
>> secrets for you. When they are done they give you references to where the
>> secrets are stored so you can retrieve them via the secrets resource above.
>>
>>  Hope that helps!
>>
>>  Thanks,
>> John
>>
>>   From: Asha Seshagiri <asha.seshagiri at gmail.com>
>> Date: Thursday, April 16, 2015 at 1:23 AM
>> To: openstack-dev <openstack-dev at lists.openstack.org>
>> Cc: John Wood <john.wood at rackspace.com>, "Reller, Nathan S." <
>> Nathan.Reller at jhuapl.edu>, Douglas Mendizabal <
>> douglas.mendizabal at RACKSPACE.COM>, Paul Kehrer <paul.kehrer at RACKSPACE.COM>,
>> Adam Harwell <adam.harwell at RACKSPACE.COM>, Alexis Lee <alexisl at hp.com>
>> Subject: Barbican : What is the difference between secret and order
>> resource
>>
>>   Hi All ,
>>
>>  What is the difference between secret and the order resource ?
>> Where is the key stored that is used for encrypting the payload in the
>> secret resource and how do we access it.
>>
>>  According to my understanding ,
>>
>>  Storing/Posting  the secret  means  we are encrypting the actual
>> information(payload)  using the key generated internally by the barbican
>> based on the type mentioned in the secret type.
>> Geting the secret means we are decryprting the information and geting the
>> actual information.
>>
>>  Posting the order refers to the generation of the actual keys by the
>> barbican  and encyrpting those keys based on the algorithm and the internal
>> key generated by barbican.
>> This encrypted key is referred through the secret reference and the whole
>> meta data is referred through a order reference.
>>
>>  Please correct me if I am wrong.
>> Any help would be highly appreciated.
>>
>>
>>  --
>>  *Thanks and Regards,*
>> *Asha Seshagiri*
>>
>
>
>
> --
> *Thanks and Regards,*
> *Asha Seshagiri*
>



-- 
*Thanks and Regards,*
*Asha Seshagiri*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150417/cc306178/attachment.html>

More information about the OpenStack-dev mailing list