<html><head></head>
<body><div>On Mon, 2018-06-18 at 17:23 +0000, Waines, Greg wrote:</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>Hey ... a couple of NEWBY question for the Barbican Team.</div><div> </div><div>I just setup a devstack with Barbican @ stable/queens .</div><div> </div><div>Ran through the “Verify operation” commands ( https://docs.openstack.org/barbican/latest/install/verify.html ) ... Everything worked.</div><div><a href="mailto:stack@barbican">stack@barbican</a>:~/devstack$ openstack secret list</div><div> </div><div><a href="mailto:stack@barbican">stack@barbican</a>:~/devstack$ openstack secret store --name mysecret --payload j4=]d21</div><div>+---------------+--------------------------------------------------------------------------------+</div><div>| Field | Value |</div><div>+---------------+--------------------------------------------------------------------------------+</div><div>| Secret href | http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-187f8d8c98d1 |</div><div>| Name | mysecret |</div><div>| Created | None |</div><div>| Status | None |</div><div>| Content types | None |</div><div>| Algorithm | aes |</div><div>| Bit length | 256 |</div><div>| Secret type | opaque |</div><div>| Mode | cbc |</div><div>| Expiration | None |</div><div>+---------------+--------------------------------------------------------------------------------+</div><div><a href="mailto:stack@barbican">stack@barbican</a>:~/devstack$ </div><div><a href="mailto:stack@barbican">stack@barbican</a>:~/devstack$ </div><div><a href="mailto:stack@barbican">stack@barbican</a>:~/devstack$ openstack secret list</div><div>+--------------------------------------------------------------------------------+----------+---------------------------+--------+-----------------------------+-----------+------------+-------------+------+------------+</div><div>| Secret href | Name | Created | Status | Content types | Algorithm | Bit length | Secret type | Mode | Expiration |</div><div>+--------------------------------------------------------------------------------+----------+---------------------------+--------+-----------------------------+-----------+------------+-------------+------+------------+</div><div>| http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-187f8d8c98d1 | mysecret | 2018-06-18T14:47:45+00:00 | ACTIVE | {u'default': u'text/plain'} | aes | 256 | opaque | cbc | None |</div><div>+--------------------------------------------------------------------------------+----------+---------------------------+--------+-----------------------------+-----------+------------+-------------+------+------------+</div><div>stack@barbican:~/devstack$ openstack secret get http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-187f8d8c98d1</div><div>+---------------+--------------------------------------------------------------------------------+</div><div>| Field | Value |</div><div>+---------------+--------------------------------------------------------------------------------+</div><div>| Secret href | http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-187f8d8c98d1 |</div><div>| Name | mysecret |</div><div>| Created | 2018-06-18T14:47:45+00:00 |</div><div>| Status | ACTIVE |</div><div>| Content types | {u'default': u'text/plain'} |</div><div>| Algorithm | aes |</div><div>| Bit length | 256 |</div><div>| Secret type | opaque |</div><div>| Mode | cbc |</div><div>| Expiration | None |</div><div>+---------------+--------------------------------------------------------------------------------+</div><div>stack@barbican:~/devstack$ openstack secret get http://10.10.10.17/key-manager/v1/secrets/87eb0f18-e417-45a8-ae49-187f8d8c98d1 --payload</div><div>+---------+---------+</div><div>| Field | Value |</div><div>+---------+---------+</div><div>| Payload | j4=]d21 |</div><div>+---------+---------+</div><div><a href="mailto:stack@barbican">stack@barbican</a>:~/devstack$</div><div> </div><div> </div><div>QUESTIONS:</div><div>· In this basic devstack setup, what is being used as the secret store ?</div></blockquote><div><br></div><div>In the basic devstack setup, we use the default secret store plugin which is the SimpleCrypto plugin.</div><div>This encrypts the secrets using a symmetric key, and stores the results in the barbican sql database.</div><div>The default encryption key can be seen in <a href="https://github.com/openstack/barbican/blob/master/barbican/plugin/crypto/simple_crypto.py#L37">https://github.com/openstack/barbican/blob/master/barbican/plugin/crypto/simple_crypto.py#L37</a></div><div><br></div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>o E.g. /etc/barbican/barbican.conf for devstack is simply</div><div><a href="mailto:stack@barbican">stack@barbican</a>:~/devstack$ more /etc/barbican/barbican.conf </div><div> </div><div>[DEFAULT]</div><div>transport_url = rabbit://stackrabbit:admin@10.10.10.17:5672</div><div>db_auto_create = False</div><div>sql_connection = mysql+pymysql://root:admin@127.0.0.1/barbican?charset=utf8</div><div>logging_exception_prefix = %(color)s%(asctime)s.%(msecs)03d TRACE %(name)s %(instance)s</div><div>logging_debug_format_suffix = from (pid=%(process)d) %(funcName)s %(pathname)s:%(lineno)d</div><div>logging_default_format_string = %(asctime)s.%(msecs)03d %(color)s%(levelname)s %(name)s [-%(color)s] %(instance)s%(color)s%(message)s</div><div>logging_context_format_string = %(asctime)s.%(msecs)03d %(color)s%(levelname)s %(name)s [%(request_id)s %(project_name)s %(user_name)s%(color)s] %(instance)s%(color)s%(message)s</div><div>use_stderr = True</div><div>log_file = /opt/stack/logs/barbican.log</div><div>host_href = <a href="http://10.10.10.17/key-manager">http://10.10.10.17/key-manager</a></div><div>debug = True</div><div> </div><div>[keystone_authtoken]</div><div>memcached_servers = localhost:11211</div><div>signing_dir = /var/cache/barbican</div><div>cafile = /opt/stack/data/ca-bundle.pem</div><div>project_domain_name = Default</div><div>project_name = service</div><div>user_domain_name = Default</div><div>password = admin</div><div>username = barbican</div><div>auth_url = <a href="http://10.10.10.17/identity">http://10.10.10.17/identity</a></div><div>auth_type = password</div><div> </div><div>[keystone_notifications]</div><div>enable = True</div><div><a href="mailto:stack@barbican">stack@barbican</a>:~/devstack$ </div><div> </div><div> </div><div>What is the basic strategy here wrt Barbican providing secure secret storage ?</div><div>e.g.</div><div>Secrets are stored encrypted in some secret store ?</div><div>Again, for default devstack, what is that secret store ? (assuming it is NOT the DB being used for general openstack services’ tables)</div><div>i.e. assuming it is separate DB or file or directory of files</div></blockquote><div><br></div><div>See response above. In the basic devstack case, the secrets are encrypted by the encryption key (kek) and stored in the barbican sql database.</div><div><br></div><div>Barbican has a number of gates where we configure different secret stores (including KMIP, Dogtag and Vault). Depending on the secret store,</div><div>the KEK and secret may be stored in different places.</div><div><br></div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>What key is used for encryption ? ... </div><div><br></div><div>The UUID of the Barbican ‘secret’ object in the Barbican openstack DB Table is the ‘external reference’ for the secret ?</div><div>? and this ‘secret’ object has the internal reference for the secret in the secret store ?</div><div><br></div><div><br></div></blockquote><div><br></div><div>Each secret stored in barbican has an entry in the barbican DB secrets table. This is the UUID in the "external reference".</div><div>For the SimpleCryptoPlugin, the secret payload is also stored encrypted in the DB (in a separate table).</div><div><br></div><div>For different secret store plugins esp. the KMIP, Dogtag or Vault plugins, where the secret payload in stored in a separate system,</div><div>the secret store entry will store the 'internal' secret reference to allow Barbican to retrieve the secret from Dogtag/Vault/ KMIP device.</div><div><br></div><div> </div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>ADMIN privileges are required to access the Barbican ‘secret’ objects ? </div><div><br></div></blockquote><div><br></div><div>In the basic devstack case using SimpleCrypto, the secrets are stored encrypted in the DB. The DB is supposed to be accessed only</div><div>through the Barbican API, which enforces oslo.policy according to policy.json file. Typically, that means being able to access a secret</div><div>if you are a user within the same project.</div><div><br></div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div>For dev</div><div><br></div><div><br></div><div>Soooo ... the secrets are stored in encrypted format and can only be referenced / retrieved in plain text with ADMIN privileges</div><div>Is this the basis of the strategy ?</div><div> </div></blockquote><div><br></div><div>No, secrets are stored encrypted ans can be obtained unencrypted through the Barbican REST API with the right keystone permissions.</div><div><br></div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div> </div><div>Thanks in advance,</div><div>Greg.</div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div>__________________________________________________________________________</div><div>OpenStack Development Mailing List (not for usage questions)</div><div>Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org">OpenStack-dev-request@lists.openstack.org</a>?subject:unsubscribe</div><div><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></div></blockquote></body></html>