[openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Dave McCowan (dmccowan) dmccowan at cisco.com
Tue Jan 17 13:49:01 UTC 2017



On 1/16/17, 3:06 PM, "Ian Cordasco" <sigmavirus24 at gmail.com> wrote:

>-----Original Message-----
>From: Dave McCowan (dmccowan) <dmccowan at cisco.com>
>Reply: OpenStack Development Mailing List (not for usage questions)
><openstack-dev at lists.openstack.org>
>Date: January 16, 2017 at 13:03:41
>To: OpenStack Development Mailing List (not for usage questions)
><openstack-dev at lists.openstack.org>
>Subject:  Re: [openstack-dev] [all] [barbican] [security] Why are
>projects trying to avoid Barbican, still?
>> Yep. Barbican supports four backend secret stores. [1]
>>
>> The first (Simple Crypto) is easy to deploy, but not extraordinarily
>> secure, since the secrets are encrypted using a static key defined in
>>the
>> barbican.conf file.
>>
>> The second and third (PKCS#11 and KMIP) are secure, but require an HSM
>>as
>> a hardware base to encrypt and/or store the secrets.
>> The fourth (Dogtag) is secure, but requires a deployment of Dogtag to
>> encrypt and store the secrets.
>>
>> We do not currently have a secret store that is both highly secure and
>> easy to deploy/manage.
>>
>> We, the Barbican community, are very open to any ideas, blueprints, or
>> patches on how to achieve this.
>> In any of the homegrown per-project secret stores, has a solution been
>> developed that solves both of these?
>>
>>
>> [1]
>> 
>>http://docs.openstack.org/project-install-guide/key-manager/draft/barbica
>>n-
>> backend.html
>
>So there seems to be a consensus that Vault is a good easy and secure
>solution to deploy. Can Barbican use that as a backend secret store?

Adding a new secret store plugin for Vault would be a welcome addition.
We have documentation in our repo on how to write a new plugin. [1]   I
can schedule some time at the PTG to plan for this in Pike if there are
interested developers.

[1] 
https://github.com/openstack/barbican/blob/master/doc/source/plugin/secret_
store.rst




More information about the OpenStack-dev mailing list