[openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?
Ian Cordasco
sigmavirus24 at gmail.com
Mon Jan 16 20:06:54 UTC 2017
-----Original Message-----
From: Dave McCowan (dmccowan) <dmccowan at cisco.com>
Reply: OpenStack Development Mailing List (not for usage questions)
<openstack-dev at lists.openstack.org>
Date: January 16, 2017 at 13:03:41
To: OpenStack Development Mailing List (not for usage questions)
<openstack-dev at lists.openstack.org>
Subject: Re: [openstack-dev] [all] [barbican] [security] Why are
projects trying to avoid Barbican, still?
> Yep. Barbican supports four backend secret stores. [1]
>
> The first (Simple Crypto) is easy to deploy, but not extraordinarily
> secure, since the secrets are encrypted using a static key defined in the
> barbican.conf file.
>
> The second and third (PKCS#11 and KMIP) are secure, but require an HSM as
> a hardware base to encrypt and/or store the secrets.
> The fourth (Dogtag) is secure, but requires a deployment of Dogtag to
> encrypt and store the secrets.
>
> We do not currently have a secret store that is both highly secure and
> easy to deploy/manage.
>
> We, the Barbican community, are very open to any ideas, blueprints, or
> patches on how to achieve this.
> In any of the homegrown per-project secret stores, has a solution been
> developed that solves both of these?
>
>
> [1]
> http://docs.openstack.org/project-install-guide/key-manager/draft/barbican-
> backend.html
So there seems to be a consensus that Vault is a good easy and secure
solution to deploy. Can Barbican use that as a backend secret store?
--
Ian Cordasco
More information about the OpenStack-dev
mailing list