Open Stack

Thanks a lot John for your response.
It has helped me .

Thanks and  Regards,
Asha Seshagiri

On Fri, Apr 17, 2015 at 2:28 PM, John Wood <john.wood at rackspace.com> wrote:

>  Hello Asha,
>
>  So the last step you have is retrieving a decrypted secret from
> Barbican. Barbican indeed stores the secret internally encrypted using an
> internal KEK. When it is retrieved however, it is first decrypted by
> Barbican and then returned the client decrypted.
>
>  Beyond TLS to protect this information back to the client, there is also
> a transport key feature that has not yet been fully supported via the
> client library, that allows the client to select a session key that can be
> used to encrypt the secret between the client and Barbican.
>
>  Thanks,
> John
>
>
>   From: Asha Seshagiri <asha.seshagiri at gmail.com>
> Date: Friday, April 17, 2015 at 1:02 PM
> To: John Wood <john.wood at rackspace.com>
> Cc: openstack-dev <openstack-dev at lists.openstack.org>, "Reller, Nathan
> S." <Nathan.Reller at jhuapl.edu>, Douglas Mendizabal <
> douglas.mendizabal at RACKSPACE.COM>, Paul Kehrer <paul.kehrer at RACKSPACE.COM>,
> Adam Harwell <adam.harwell at RACKSPACE.COM>, Alexis Lee <alexisl at hp.com>
> Subject: Re: Barbican : What is the difference between secret and order
> resource
>
>   Hi All,
>
>   I would like to know if the keys generated  by Barbican through the
> order resource are  encrypted using KEKS and then stored in the secret
> object or is it stored in unencypted format.
>
>  Any help  would be highly appreciated.
>
>  root at barbican:~# curl -H 'Accept: application/json' -H
> 'X-Project-Id:12345' http ://localhost:9311/v1/orders
>
>  Please find the command and response below :
>
>  {"total": 3, "orders": [{"status": "ACTIVE", "secret_ref": "*http://localhost:9311/v1/secrets/b3709da7-4691-40d6-af9a-1ae23772a7b2
> <http://localhost:9311/v1/secrets/b3709da7-4691-40d6-af9a-1ae23772a7b2>*",
> "updated": "2015-03-13T22:27:48.866683", "meta": {"name": "secretname2",
> "algorithm": "aes", "payload_content_type": "application/octet-stream",
> "mode": "cbc", "bit_length": 256, "expiration": null}, "created":
> "2015-03-13T22:27:48.844860", "type": "key", "order_ref": "
> http://localhost:9311/v1/orders/5a4844ca-47a9-4bd7-ae56-fb84655f48d9
> "},....
>
>   root at barbican:~# curl -H 'Accept: application/json' -H
> 'X-Project-Id:12345'
> http://localhost:9311/v1/secrets/b3709da7-4691-40d6-af9a-1ae23772a7b2
> {"status": "ACTIVE", "secret_type": "opaque", "updated":
> "2015-03-13T22:27:48.863403", "name": "secretname2", "algorithm": "aes",
> "created": "2015-03-13T22:27:48.860600", "secret_ref": "
> http://localhost:9311/v1/secrets/b3709da7-4691-40d6-af9a-1ae23772a7b2",
> "content_types": {"default": "application/octet-stream"}, "expiration":
> null, "bit_length": 256, "mode": "cbc"}
>
>
>  root at barbican:~#  curl -H 'Accept:application/octet-stream' -H
> 'X-Project-Id:12345'
> http://localhost:9311/v1/secrets/b3709da7-4691-40d6-af9a-1ae23772a7b2
> ▒▒R▒v▒▒▒W▒4▒A?Md▒L[▒K4A▒▒bx▒▒▒   - >* would like to know if this response
> is encyprted by barbican using KEKS or it is unencypted format whose
> content type is application/octet-stream*
>
>
>  Thanks and Regards,
> Asha Seshagiri
>
> On Fri, Apr 17, 2015 at 11:30 AM, Asha Seshagiri <asha.seshagiri at gmail.com
> > wrote:
>
>>  Thanks a lot  John for your response.
>>
>>  I also thank everyone who has been responding to my queries if I have
>> missed someone .
>> There was  some problem while configuring my email .I do not receive the
>> email response directly  from openstack Dev group.I would check the archive
>> folder for that.
>> I will have a look into it
>>
>>  Once again , it's  nice working and collaborating with the openstack
>> Dev -group.
>>
>>  Thanks and Regards,
>> Asha Seshagiri
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>  jh
>>
>>
>>
>>  Thanks and Regards,
>> Asha Seshagiri
>>
>> On Thu, Apr 16, 2015 at 8:10 AM, John Wood <john.wood at rackspace.com>
>> wrote:
>>
>>>  Hello Asha,
>>>
>>>  The /v1/secrets resource is used to upload, encrypt and store your
>>> secrets, and to decrypt and retrieve those secrets. Key encryption keys
>>> (KEKs) internal to Barbican are used to encrypt the secret.
>>>
>>>  The /v1/orders resource is used when you want Barbican to generate
>>> secrets for you. When they are done they give you references to where the
>>> secrets are stored so you can retrieve them via the secrets resource above.
>>>
>>>  Hope that helps!
>>>
>>>  Thanks,
>>> John
>>>
>>>   From: Asha Seshagiri <asha.seshagiri at gmail.com>
>>> Date: Thursday, April 16, 2015 at 1:23 AM
>>> To: openstack-dev <openstack-dev at lists.openstack.org>
>>> Cc: John Wood <john.wood at rackspace.com>, "Reller, Nathan S." <
>>> Nathan.Reller at jhuapl.edu>, Douglas Mendizabal <
>>> douglas.mendizabal at RACKSPACE.COM>, Paul Kehrer <
>>> paul.kehrer at RACKSPACE.COM>, Adam Harwell <adam.harwell at RACKSPACE.COM>,
>>> Alexis Lee <alexisl at hp.com>
>>> Subject: Barbican : What is the difference between secret and order
>>> resource
>>>
>>>   Hi All ,
>>>
>>>  What is the difference between secret and the order resource ?
>>> Where is the key stored that is used for encrypting the payload in the
>>> secret resource and how do we access it.
>>>
>>>  According to my understanding ,
>>>
>>>  Storing/Posting  the secret  means  we are encrypting the actual
>>> information(payload)  using the key generated internally by the barbican
>>> based on the type mentioned in the secret type.
>>> Geting the secret means we are decryprting the information and geting
>>> the actual information.
>>>
>>>  Posting the order refers to the generation of the actual keys by the
>>> barbican  and encyrpting those keys based on the algorithm and the internal
>>> key generated by barbican.
>>> This encrypted key is referred through the secret reference and the
>>> whole meta data is referred through a order reference.
>>>
>>>  Please correct me if I am wrong.
>>> Any help would be highly appreciated.
>>>
>>>
>>>  --
>>>  *Thanks and Regards,*
>>> *Asha Seshagiri*
>>>
>>
>>
>>
>>  --
>>  *Thanks and Regards,*
>> *Asha Seshagiri*
>>
>
>
>
>  --
>  *Thanks and Regards,*
> *Asha Seshagiri*
>



-- 
*Thanks and Regards,*
*Asha Seshagiri*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150417/fbb11a6b/attachment-0001.html>