Barbican

Support KMIP

Registered by Nathan Reller on 2014-04-23

This blueprint proposes enhancing Barbican to support the Key Management Interoperability Protocol (KMIP). The KMIP technical committee’s goal is to “define a single, comprehensive protocol for communication between encryption systems and a broad range of new and legacy enterprise applications.” Supporting KMIP will allow Barbican to support a new standard that aims to simplify key management.

Read the full specification

Blueprint information

Status:: Complete

Approver:: Douglas Mendizábal

Priority:: Medium

Drafter:: Nathan Reller

Direction:: Approved

Assignee:: Nathan Reller

Definition:: Approved

Series goal:: Accepted for juno

Implementation:: Implemented

Milestone target:: None

Started by: Nathan Reller on 2014-10-09

Completed by: Nathan Reller on 2014-10-09

Related branches

Related bugs

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/support-kmip,n,z

Addressed by: https://review.openstack.org/91107
Adds SecretMetadata table

-----

See etherpad here: https://etherpad.openstack.org/p/secret-store

Decision at OpenStack Atlanta:

MIgrate the plugin contract to look like Nathan's database contract, with put_secret()/get_secret() methods. The put_secret() method would return a DTO that has three fields: secret_uuid, kek_meta_extended, encrypted_data. These are optional fields, set by the plugin as needed. Storage plugis like Dogtag and KMIP would populate the secret_uuid to their systems. The HSM plugin would populate the kek and encrypted fields.

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information

Everyone can see this information.

Subscribers

Bruce A Rich

Rick Robinson