[barbican] dev: Using Barbican for media box/center unattended cert, key (KEK) updates, etc.

Hunter Nins Hunter90960 at mail.com
Thu May 30 01:53:01 UTC 2019

2nd try. 

Including link to my Stackoverflow post to centrlize responses.


Sent: Tuesday, May 28, 2019 at 3:49 PM
From: "Hunter Nins" <Hunter90960 at mail.com>
To: openstack-discuss at lists.openstack.org
Subject: [barbican] dev: Using Barbican for media box/center unattended cert, key (KEK) updates, etc.

Pardon: the first attempt was html-formatted.

I am currently working on a customized media center/box product for my employer. It's basically a Raspberry Pi 3b+ running Raspian, configured to auto-update periodically via `apt`. The device accesses binaries for proprietary applications via a private, secured `apt` repo, using a pre-installed certificate on the device.

Right now, the certificate on the device is set to never expire, but going forward, we'd like to configure the certificate to expire every 4 months. We also plan to deploy a unique certificate per device we ship, so the certs can be revoked if the tamper mechanism is triggered (i.e. if the customer rips open the box, it blows a fuse that is attached to a ADC chip, and the device reports in s/w that the sensor has been tripped). Finally, we anticipate some customers leaving the device offline, and only updating once every year (allowing for time for the cert to expire).

Is there a way I could use Barbican to:
* Update the certs for apt-repo access on the device periodically.
* Setup key-encryption-keys (KEK) on the device, if we need the device to be able to download sensitive data, such as an in-memory cached copy of customer info.
* Provide a mechanism for a new key to be deployed on the device if the currently-used key has expired (i.e. the user hasn't connected the device to the internet for more than 4 months).
* Allow keys to be tracked, revoked, and de-commissioned.

Thank you for your time and assistance.

More information about the openstack-discuss mailing list