Add Crypto/HSM Master and Wrapped Project KEK Rotation and Migration Support

Registered by John Wood on 2015-04-29

Currently Barbican has no means to migrate secrets encrypted with a crypto/HSM-style plugin to a new master key encryption key (MKEK) and its associated wrapped project KEKs. This blueprint proposes adding a new Barbican service process that supports completing the rotation of secrets to a new master key encryption key (MKEK) and a new wrapped project KEK. This process would be started after deployers, out of band: (1) generate new MKEK and HMAC signing keys with a binding to new labels, and then (2) replicate these keys to other HSMs that may be in the high availability (HA) group, and then (3) update Barbican's config file to reference these new labels, and finally (4) restart the Barbican nodes. The proposed process would then migrate secrets from encryption via the old keys to encryption via the new ones.

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
John Wood
Direction:
Needs approval
Assignee:
None
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.