Barbican1.0
Key management for the open cloud
Jarret Raim & Matt Tesauro

aboutus

ACADEMIC
DEVELOPER
SECURITY
CONSULTANT
SECURITY
ARCHITECT

OWASP BOARD MEMBER
OWASP L...
Everyone writing code needs good key management

CustomerS

Most important security technologies for a hoster to provide !...
Every OpenStack project has encryption needs

OpenStack
Swift & Glance

Cinder

Encrypted files at rest.

Transparent volu...
Customdev
Settings
Commonly exposed settings including credentials can be
protected either through encryption or by storin...
InteractionMOdels
Transparent
Encryption	


Least secure	


Federated
Keys	


On-Premise
Management	


Most secure
Transparentencryption
Customer	

 Rackspace	

Consuming	

Service	


Public	


Public	


Private	


Private
FEderatedKeys
Customer	

 Rackspace	

Consuming	

Service	


Public	


Public	


Private	


Private
OnPRemise
Customer	

 Rackspace	


Public	


Public	


Private	


Private
VagrantUp
KeySTorage
DEK	


Barbican API
Node	


Hardware
Security
Module	


Data Store	


KEK	


DEK	


All keys are encrypted with...
The keying material

SecretResource
POST v1/{tenant_id}/secrets!

GET v1/{tenant_id}/secrets/888b29a4-c7cf-49d0bfdf-bd9e6f...
The keying material

OrdersResource
POST v1/orders!

GET v1/orders/f9b633d-…-80289e!

!

!
{!

{!
"secret": {!
"name": "se...
SwiftDemo

Transparent encryption for object storage.
portcullisproxy
Pyrox is a HTTP reverse proxy that can intercept requests ahead of an upstream HTTP REST service. This all...
Futurework
KMIP Support
There is a possibility that a Python KMIP client will
be open-sourced by Safenet soon. If so, we’l...
IntegrateNow
Python-Barbicanclient

from barbicanclient import client!

Provides both a programmatic and command
line inte...
~ fin ~
#openstack-coudkeep

github.com/cloudkeep

barbican@lists.google.com
Barbican 1.0 - Open Source Key Management for OpenStack
Upcoming SlideShare
Loading in...5
×

Barbican 1.0 - Open Source Key Management for OpenStack

3,219

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,219
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
117
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Barbican 1.0 - Open Source Key Management for OpenStack

  1. 1. Barbican1.0 Key management for the open cloud
  2. 2. Jarret Raim & Matt Tesauro aboutus ACADEMIC DEVELOPER SECURITY CONSULTANT SECURITY ARCHITECT OWASP BOARD MEMBER OWASP LIVE CD OWASP WTE RACKER SINCE ‘11 PRODUCT SECURITY SECURITY PRODUCTS HACKING THE RACK
  3. 3. Everyone writing code needs good key management CustomerS Most important security technologies for a hoster to provide ! Data Protection! 57%! Endpoint & Network Protection! 19%! Identity & Access Control! 13%! 11%! 11%! 9%! 73% 46% 16%! 18%! 2%! #1 Choice! 38% #2 Choice! Application Security! Vulnerability & Incident Management! Configuration & Patch Management! 7%! 27%! 4%! 2%! 18%! 18%! 13%! 49% 27%! 27%! 52% 42% #3 Choice!
  4. 4. Every OpenStack project has encryption needs OpenStack Swift & Glance Cinder Encrypted files at rest. Transparent volume encryption. Trove Heat Encrypted databases and tables. AES, SSH & SSL key management. Neutron Marconi SSL Certificates and VPN keys. Encrypted queue messages. Nova & Ironic Savanna SSH keys, encrypted file systems. Analytics on encrypted data. Keystone OSLO Encrypted metadata, user level keys. Support all the things.
  5. 5. Customdev Settings Commonly exposed settings including credentials can be protected either through encryption or by storing the entire settings file. Encryption Keys Keys used to provide encryption for data at rest. SSL Keys SSL / TLS private keys. SSH Keys Keys used for access control.
  6. 6. InteractionMOdels Transparent Encryption Least secure Federated Keys On-Premise Management Most secure
  7. 7. Transparentencryption Customer Rackspace Consuming Service Public Public Private Private
  8. 8. FEderatedKeys Customer Rackspace Consuming Service Public Public Private Private
  9. 9. OnPRemise Customer Rackspace Public Public Private Private
  10. 10. VagrantUp
  11. 11. KeySTorage DEK Barbican API Node Hardware Security Module Data Store KEK DEK All keys are encrypted with a tenant-level key encryption key (KEK). This key never leaves the HSM (if using one). The encrypted data encryption key (DEK) is stored in the Barbican data store.
  12. 12. The keying material SecretResource POST v1/{tenant_id}/secrets! GET v1/{tenant_id}/secrets/888b29a4-c7cf-49d0bfdf-bd9e6f26d718! ! {! ! "name": "AES key",! "expiration": "2014-02-28T19:14:44.180394",! "algorithm": "aes",! "bit_length": 256,! "mode": "cbc",! "payload": "gF6+lLoF3ohA9aPRpt+6bQ==",! "payload_content_type": "application/octetstream",! "payload_content_encoding": "base64"! {! "status": "ACTIVE",! "updated": "2013-06-28T15:23:33.092660",! "name": "AES key",! "algorithm": "AES",! "mode": "cbc",! "bit_length": 256,! "content_types": {! "default": "application/octet-stream"! },! "expiration": "2013-05-08T16:21:38.134160",! "secret_href": "http://localhost:8080/ v1/12345/secrets/888b29a4-c7cf-49d0-bfdfbd9e6f26d718",! }! }!
  13. 13. The keying material OrdersResource POST v1/orders! GET v1/orders/f9b633d-…-80289e! ! ! {! {! "secret": {! "name": "secretname",! "algorithm": "AES",! "bit_length": 256,! "mode": "cbc",! "payload_content_type": "application/octetstream"! }! "secret": {! "name": "secretname",! "algorithm": "aes",! "bit_length": 256,! "mode": "cbc",! "payload_content_type": "application/octetstream"! },! "order_href": "http://localhost:8080/ v1/12345/orders/f9b633d8--5b2c9280289e",! "secret_href": "http://localhost:8080/ v1/12345/secrets/888b29a4-c7cf-49d0-bfdfbd9e6f26d718"! }! ! }!
  14. 14. SwiftDemo Transparent encryption for object storage.
  15. 15. portcullisproxy Pyrox is a HTTP reverse proxy that can intercept requests ahead of an upstream HTTP REST service. This allows reuse of common middleware functions like: message enhancement, dynamic routing, authentication, authorization, resource request rate limiting, service distribution, content negotiation and content transformation. These services can then be scaled horizontally separate the origin REST endpoint. Key Per File HMAC /verify resource Portcullis currently uses a single key per encrypted file. This is to deal with copy between container semantics in Swift. We currently use AES-CBC with HMAC. We’ll move to GCM as soon as the code is stable. We have a new /verify resource that clients can use to check integrity. Filename & Container Names Flow Control We don’t currently encrypt filenames and container names. This is to ensure that all tools that expect Swift semantics still work. Pyrox performs the necessary flow control functionality that needs to happen to keep the proxy from being overwhelmed.
  16. 16. Futurework KMIP Support There is a possibility that a Python KMIP client will be open-sourced by Safenet soon. If so, we’ll integrate it, if not, we’ll build our own. SSL / TLS Barbican will support the provisioning of SSL certificates from internal and external CAs. Federation Support for federated keys in both Barbican to Barbican and Barbican to HSM configurations. Integrations Barbican will help teams integrate to provide encryption services.
  17. 17. IntegrateNow Python-Barbicanclient from barbicanclient import client! Provides both a programmatic and command line interface to a Barbican instance. barbican_client = client.Client(endpoint='http://path-tobarbican', tenant_id='tenant_id_for_context')! ! ! Source Code & Documentation The documentation and source code both reside on GitHub in the CloudKeep organization. Blueprints and project documentation is on Launchpad. Integration Environment Barbican maintains an integration environment on Public Cloud for testing. Not for use in production deploys, but usable for testing / dev. barbican_client.secrets.store(name, payload, payload_content_type, payload_content_encoding, algorithm, bit_length, mode, expiration)! ! barbican_client.orders.create(name, payload_content_type, algorithm, bit_length, mode, expiration)! usage: keep [-h] [--no-auth | --os-auth-url <auth-url>]! "[--os-username <auth-user-name>] [--os-password <authpassword>] [--os-tenant-name <auth-tenant-name>] [--ostenant-id <tenant-id>] [--endpoint <barbican-url>]! "<entity> <action> ...!
  18. 18. ~ fin ~ #openstack-coudkeep github.com/cloudkeep barbican@lists.google.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×