See responses below: On Thu, 2019-05-30 at 03:53 +0200, Hunter Nins wrote:
2nd try.
Including link to my Stackoverflow post to centrlize responses.
stackoverflow.com/questions/56360728/unattended-automated-linux- device-key-management-certs-for-accessing-update-ser
Sent: Tuesday, May 28, 2019 at 3:49 PM From: "Hunter Nins" <Hunter90960@mail.com> To: openstack-discuss@lists.openstack.org Subject: [barbican] dev: Using Barbican for media box/center unattended cert, key (KEK) updates, etc. Hello,
Pardon: the first attempt was html-formatted.
I am currently working on a customized media center/box product for my employer. It's basically a Raspberry Pi 3b+ running Raspian, configured to auto-update periodically via `apt`. The device accesses binaries for proprietary applications via a private, secured `apt` repo, using a pre-installed certificate on the device.
Right now, the certificate on the device is set to never expire, but going forward, we'd like to configure the certificate to expire every 4 months. We also plan to deploy a unique certificate per device we ship, so the certs can be revoked if the tamper mechanism is triggered (i.e. if the customer rips open the box, it blows a fuse that is attached to a ADC chip, and the device reports in s/w that the sensor has been tripped). Finally, we anticipate some customers leaving the device offline, and only updating once every year (allowing for time for the cert to expire).
Is there a way I could use Barbican to: * Update the certs for apt-repo access on the device periodically.
Barbican used to have an interface to issue certs, but this was removed. Therefore barbican is simply a service to generate and store secrets. You could use something like certmonger. certmonger is a client side daemon that generates cert requests and submits them to a CA. It then tracks those certs and requests new ones when the certs are going to expire.
* Setup key-encryption-keys (KEK) on the device, if we need the device to be able to download sensitive data, such as an in-memory cached copy of customer info.
To use barbican, you need to be able to authenticate and retrieve something like a keystone token. Once you have that, you can use barbican to generate key encryption keys (which would be stored in the barbican database) and download them to the device using the secret retrieval API. Do you need/want the KEK's escrowed like this though?
* Provide a mechanism for a new key to be deployed on the device if the currently-used key has expired (i.e. the user hasn't connected the device to the internet for more than 4 months).
Barbican has no mechanism for this. This is client side tooling that would need to be written. You'd need to think about authentication.
* Allow keys to be tracked, revoked, and de-commissioned.
Same as above. Barbican has no mechanism for this.
Thank you for your time and assistance.