Open Stack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I think that a Vault backend would only be valuable to folks who are
already using Vault.

For deployers who don't yet have a key management solution, a Vault
backend would not solve the problem of having to deploy yet another
service.  In fact it would make it worse since the deployer would have
to deploy both Vault AND Barbican to get a working solution.  It seems
to me that it would create the same concerns that folks are having
about deploying DogTag and Barbican to get a software-only solution.

I do like Vault, and I think that some of the things they've done with
the software-only configuration are pretty cool.  I spent some time
looking into what it would take to wire up Barbican to use Vault as a
backend, and the tricky part is being able to map Keystone auth to one
of Vault's many auth drivers.

For my use case, the effort of sorting out the auth mapping between
the two systems in addition to the overhead of running both Vault and
Barbican seemed like a bigger task than improving the Simple Crypto
driver to remove the encryption key from the conf file.

- - Douglas

On 1/17/17 7:49 AM, Dave McCowan (dmccowan) wrote:
> 
> 
> On 1/16/17, 3:06 PM, "Ian Cordasco" <sigmavirus24 at gmail.com>
> wrote:
> 
>> -----Original Message----- From: Dave McCowan (dmccowan)
>> <dmccowan at cisco.com> Reply: OpenStack Development Mailing List
>> (not for usage questions) <openstack-dev at lists.openstack.org> 
>> Date: January 16, 2017 at 13:03:41 To: OpenStack Development
>> Mailing List (not for usage questions) 
>> <openstack-dev at lists.openstack.org> Subject:  Re: [openstack-dev]
>> [all] [barbican] [security] Why are projects trying to avoid
>> Barbican, still?
>>> Yep. Barbican supports four backend secret stores. [1]
>>> 
>>> The first (Simple Crypto) is easy to deploy, but not
>>> extraordinarily secure, since the secrets are encrypted using a
>>> static key defined in the barbican.conf file.
>>> 
>>> The second and third (PKCS#11 and KMIP) are secure, but require
>>> an HSM as a hardware base to encrypt and/or store the secrets. 
>>> The fourth (Dogtag) is secure, but requires a deployment of
>>> Dogtag to encrypt and store the secrets.
>>> 
>>> We do not currently have a secret store that is both highly
>>> secure and easy to deploy/manage.
>>> 
>>> We, the Barbican community, are very open to any ideas,
>>> blueprints, or patches on how to achieve this. In any of the
>>> homegrown per-project secret stores, has a solution been 
>>> developed that solves both of these?
>>> 
>>> 
>>> [1]
>>> 
>>> http://docs.openstack.org/project-install-guide/key-manager/draft/ba
rbica
>>>
>>> 
n-
>>> backend.html
>> 
>> So there seems to be a consensus that Vault is a good easy and
>> secure solution to deploy. Can Barbican use that as a backend
>> secret store?
> 
> Adding a new secret store plugin for Vault would be a welcome
> addition. We have documentation in our repo on how to write a new
> plugin. [1]   I can schedule some time at the PTG to plan for this
> in Pike if there are interested developers.
> 
> [1] 
> https://github.com/openstack/barbican/blob/master/doc/source/plugin/se
cret_
>
> 
store.rst
> 
> 
> ______________________________________________________________________
____
>
> 
OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJYf9jPAAoJEB7Z2EQgmLX7UQkQAKNFKOfAazPmzQGETKWuy2uP
9G86dGNrRO4PaFKO7asUgqmdtFiMfouTT8yayogT3vLokhOoQW4bBxLKunGQ4Un3
mVg5pYD8zwBtYTKd09WVLEYfiSdUSurKfA6gq/b3l0NC7fEp0zkx58Rzt1/ITW7H
o+90ajghnfl2X6yfE+dudGody5aKoicDqxgzwh6YbIDwz6ZaGfwE9tUGJdQ4OJ1O
YfG1I61JPvNz+r1RJeyREo0SEuNi0RMgWHqigu/H9QfOGNxJrfKGM1KC5TbAnMkA
82BmxNUw/hYQZsSk/beDqelH4JqZmywlMna9YAjLC9VrgvnmC7srHbQBLMsyavBH
Zfv04kG30ucsauxQOni0YfbqhalSb+6wXJipwTdaetwTe2wiVltz1a9pscc/57r9
omBCoNUh+dS1uy8axRSE92oDw2ASfBEH7B5+NBLZ0Y8ZlfN8JU6BqY8cJdpzSSer
CvmyLDiUE1MEYj2L05lPJXZnbiWSJK1FZNNXf6kuJBXfqsNz7QRkrwkVIS1a+Uke
n4U8Fl9c3VlGiLanfnNGHgBOOG9lwL0/g1gc5JtCZYPaNRj/+TSLQBHfgm3SgtSG
6rmJCU7t4PLqdIylDN7uTSPgFX4BCU4yXY9IcfLiz0OLZmbFzsLLG/zYN2dc4iM5
uCpGu9rsziz1ujaTwneC
=gIXT
-----END PGP SIGNATURE-----