Add a wrapping key to encrypt/ decrypt operations

Registered by Ade Lee on 2014-05-05

Right now, secrets are passed from clients to the Barbican server encrypted only be SSL. In Common Criteria environments, this is insufficient. Secrets need to be additonally encrypted at the point of origin, and ideally only decrypted where the secret will be stored. In a case where a hardware token is used, this would be on the token, so that even if an attacker gains access to the Barbican server and introspects the process memory, no secrets can be deciphered. This blueprint discusses the changes needed on the server side to implement this feature.

Blueprint information

Status:
Complete
Approver:
Douglas Mendizábal
Priority:
Medium
Drafter:
Ade Lee
Direction:
Approved
Assignee:
Ade Lee
Definition:
Approved
Series goal:
Accepted for juno
Implementation:
Implemented
Milestone target:
milestone icon juno-3
Started by
Douglas Mendizábal on 2014-12-03
Completed by
Douglas Mendizábal on 2014-12-03

Related branches

Sprints

Whiteboard

An etherpad has been added for the review of this blueprint:

https://etherpad.openstack.org/p/add-wrapping-key-barbican-server

Gerrit topic: https://review.openstack.org/#q,topic:bp/add-wrapping-key-to-barbican-server,n,z

Addressed by: https://review.openstack.org/94875
    Add TransportKey as a resource

Addressed by: https://review.openstack.org/107110
    code to retrieve transport key on metadata request

Addressed by: https://review.openstack.org/107111
    Code to pass through transport_key_id when storing secret

Addressed by: https://review.openstack.org/107112
    Add code to retrieve secrets metadata and data with transport key

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.