[barbican] dev: Using Barbican for media box/center unattended cert, key (KEK) updates, etc.

Ade Lee alee at redhat.com
Thu May 30 14:17:32 UTC 2019

See responses below:

On Thu, 2019-05-30 at 03:53 +0200, Hunter Nins wrote:
> 2nd try. 
> Including link to my Stackoverflow post to centrlize responses.
> stackoverflow.com/questions/56360728/unattended-automated-linux-
> device-key-management-certs-for-accessing-update-ser
> Sent: Tuesday, May 28, 2019 at 3:49 PM
> From: "Hunter Nins" <Hunter90960 at mail.com>
> To: openstack-discuss at lists.openstack.org
> Subject: [barbican] dev: Using Barbican for media box/center
> unattended cert, key (KEK) updates, etc.
> Hello,
> Pardon: the first attempt was html-formatted.
> I am currently working on a customized media center/box product for
> my employer. It's basically a Raspberry Pi 3b+ running Raspian,
> configured to auto-update periodically via `apt`. The device accesses
> binaries for proprietary applications via a private, secured `apt`
> repo, using a pre-installed certificate on the device.
> Right now, the certificate on the device is set to never expire, but
> going forward, we'd like to configure the certificate to expire every
> 4 months. We also plan to deploy a unique certificate per device we
> ship, so the certs can be revoked if the tamper mechanism is
> triggered (i.e. if the customer rips open the box, it blows a fuse
> that is attached to a ADC chip, and the device reports in s/w that
> the sensor has been tripped). Finally, we anticipate some customers
> leaving the device offline, and only updating once every year
> (allowing for time for the cert to expire).
> Is there a way I could use Barbican to:
> * Update the certs for apt-repo access on the device periodically.

Barbican used to have an interface to issue certs, but this was
removed.  Therefore barbican is simply a service to generate and store

You could use something like certmonger.  certmonger is a client side
daemon that generates cert requests and submits them to a CA.  It then
tracks those certs and requests new ones when the certs are going to

> * Setup key-encryption-keys (KEK) on the device, if we need the
> device to be able to download sensitive data, such as an in-memory
> cached copy of customer info.

To use barbican, you need to be able to authenticate and retrieve
something like a keystone token.  Once you have that, you can use
barbican to generate key encryption keys (which would be stored in the
barbican database) and download them to the device using the secret
retrieval API.

Do you need/want the KEK's escrowed like this though?

> * Provide a mechanism for a new key to be deployed on the device if
> the currently-used key has expired (i.e. the user hasn't connected
> the device to the internet for more than 4 months).

Barbican has no mechanism for this.  This is client side tooling that
would need to be written.  You'd need to think about authentication.

> * Allow keys to be tracked, revoked, and de-commissioned.
Same as above.  Barbican has no mechanism for this.

> Thank you for your time and assistance.

More information about the openstack-discuss mailing list