Currently, my setup involves utilizing OpenStack Barbican on the Bobcat release, with the Thales HSM A790 serving as the PKCS11 backend for multi-tenancy purposes. In this configuration, each project has the flexibility to select its preferred backend, allowing for a mix of PKCS11 and simpler cryptographic methods across projects.

I'm particularly interested in exploring the possibility of dedicating an HMAC/MKEK key specifically for a project, utilizing the PKCS11 backend. This approach would involve assigning a unique key pair to each project, thereby enabling the creation of a segregated partition within the HSM for enhanced security and management.

By establishing dedicated keys per project, I aim to optimize security measures and streamline the management of cryptographic resources within the environment. Your insights on the feasibility and implications of this approach would be greatly appreciated. Looking forward to your response.

Regards,

Rajiv