[Openstack-security] [openstack/barbican-specs] SecurityImpact review request change Iccdfca4f309c50b7507f0a0992bec561045784f0
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Mon May 11 05:01:26 UTC 2015
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/178926
Log:
commit 27ae14e479a0238b61bdfc2db6c43275868fb3f2
Author: jfwood <john.wood at rackspace.com>
Date: Wed Apr 29 23:32:50 2015 -0500
Add Crypto/HSM MKEK Rotation Support
Currently Barbican has no means to migrate secrets encrypted with a
crypto/HSM-style plugin to a new master key encryption key (MKEK) and
its associated wrapped project KEKs. This blueprint proposes adding a
new Barbican service process that supports completing the rotation of
secrets to a new master key encryption key (MKEK) and a new wrapped
project KEK.
Note that unlike the similarly-named blueprint at
https://blueprints.launchpad.net/barbican/+spec/add-crypto-mkek-rotation-support-lightweight
this blueprint does call for re-encrypting secrets *and* wrapped
project KEKs, so the other blueprint is a 'lightweight' alternative to
this one.
This process would be started after deployers, out of
band: (1) generate new MKEK and HMAC signing keys with a binding to new
labels, and then (2) replicate these keys to other HSMs that may be in
the high availability (HA) group, and then (3) update Barbican's config
file to reference these new labels, and finally (4) restart the
Barbican nodes. The proposed process would then migrate secrets from
encryption via the old keys to encryption via the new ones.
Change-Id: Iccdfca4f309c50b7507f0a0992bec561045784f0
Implements: blueprint add-crypto-mkek-rotation-support
SecurityImpact: Rotates and migrates secrets to new KEKs.
DocImpact: Add information on running KEK migration process.
More information about the Openstack-security
mailing list