Barbican 1.0 - Open Source Key Management for OpenStack

4,720 views

Published on

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,720
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
143
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Barbican 1.0 - Open Source Key Management for OpenStack

  1. 1. Barbican1.0 Key management for the open cloud
  2. 2. Jarret Raim & Matt Tesauro aboutus ACADEMIC DEVELOPER SECURITY CONSULTANT SECURITY ARCHITECT OWASP BOARD MEMBER OWASP LIVE CD OWASP WTE RACKER SINCE ‘11 PRODUCT SECURITY SECURITY PRODUCTS HACKING THE RACK
  3. 3. Everyone writing code needs good key management CustomerS Most important security technologies for a hoster to provide ! Data Protection! 57%! Endpoint & Network Protection! 19%! Identity & Access Control! 13%! 11%! 11%! 9%! 73% 46% 16%! 18%! 2%! #1 Choice! 38% #2 Choice! Application Security! Vulnerability & Incident Management! Configuration & Patch Management! 7%! 27%! 4%! 2%! 18%! 18%! 13%! 49% 27%! 27%! 52% 42% #3 Choice!
  4. 4. Every OpenStack project has encryption needs OpenStack Swift & Glance Cinder Encrypted files at rest. Transparent volume encryption. Trove Heat Encrypted databases and tables. AES, SSH & SSL key management. Neutron Marconi SSL Certificates and VPN keys. Encrypted queue messages. Nova & Ironic Savanna SSH keys, encrypted file systems. Analytics on encrypted data. Keystone OSLO Encrypted metadata, user level keys. Support all the things.
  5. 5. Customdev Settings Commonly exposed settings including credentials can be protected either through encryption or by storing the entire settings file. Encryption Keys Keys used to provide encryption for data at rest. SSL Keys SSL / TLS private keys. SSH Keys Keys used for access control.
  6. 6. InteractionMOdels Transparent Encryption Least secure Federated Keys On-Premise Management Most secure
  7. 7. Transparentencryption Customer Rackspace Consuming Service Public Public Private Private
  8. 8. FEderatedKeys Customer Rackspace Consuming Service Public Public Private Private
  9. 9. OnPRemise Customer Rackspace Public Public Private Private
  10. 10. VagrantUp
  11. 11. KeySTorage DEK Barbican API Node Hardware Security Module Data Store KEK DEK All keys are encrypted with a tenant-level key encryption key (KEK). This key never leaves the HSM (if using one). The encrypted data encryption key (DEK) is stored in the Barbican data store.
  12. 12. The keying material SecretResource POST v1/{tenant_id}/secrets! GET v1/{tenant_id}/secrets/888b29a4-c7cf-49d0bfdf-bd9e6f26d718! ! {! ! "name": "AES key",! "expiration": "2014-02-28T19:14:44.180394",! "algorithm": "aes",! "bit_length": 256,! "mode": "cbc",! "payload": "gF6+lLoF3ohA9aPRpt+6bQ==",! "payload_content_type": "application/octetstream",! "payload_content_encoding": "base64"! {! "status": "ACTIVE",! "updated": "2013-06-28T15:23:33.092660",! "name": "AES key",! "algorithm": "AES",! "mode": "cbc",! "bit_length": 256,! "content_types": {! "default": "application/octet-stream"! },! "expiration": "2013-05-08T16:21:38.134160",! "secret_href": "http://localhost:8080/ v1/12345/secrets/888b29a4-c7cf-49d0-bfdfbd9e6f26d718",! }! }!
  13. 13. The keying material OrdersResource POST v1/orders! GET v1/orders/f9b633d-…-80289e! ! ! {! {! "secret": {! "name": "secretname",! "algorithm": "AES",! "bit_length": 256,! "mode": "cbc",! "payload_content_type": "application/octetstream"! }! "secret": {! "name": "secretname",! "algorithm": "aes",! "bit_length": 256,! "mode": "cbc",! "payload_content_type": "application/octetstream"! },! "order_href": "http://localhost:8080/ v1/12345/orders/f9b633d8--5b2c9280289e",! "secret_href": "http://localhost:8080/ v1/12345/secrets/888b29a4-c7cf-49d0-bfdfbd9e6f26d718"! }! ! }!
  14. 14. SwiftDemo Transparent encryption for object storage.
  15. 15. portcullisproxy Pyrox is a HTTP reverse proxy that can intercept requests ahead of an upstream HTTP REST service. This allows reuse of common middleware functions like: message enhancement, dynamic routing, authentication, authorization, resource request rate limiting, service distribution, content negotiation and content transformation. These services can then be scaled horizontally separate the origin REST endpoint. Key Per File HMAC /verify resource Portcullis currently uses a single key per encrypted file. This is to deal with copy between container semantics in Swift. We currently use AES-CBC with HMAC. We’ll move to GCM as soon as the code is stable. We have a new /verify resource that clients can use to check integrity. Filename & Container Names Flow Control We don’t currently encrypt filenames and container names. This is to ensure that all tools that expect Swift semantics still work. Pyrox performs the necessary flow control functionality that needs to happen to keep the proxy from being overwhelmed.
  16. 16. Futurework KMIP Support There is a possibility that a Python KMIP client will be open-sourced by Safenet soon. If so, we’ll integrate it, if not, we’ll build our own. SSL / TLS Barbican will support the provisioning of SSL certificates from internal and external CAs. Federation Support for federated keys in both Barbican to Barbican and Barbican to HSM configurations. Integrations Barbican will help teams integrate to provide encryption services.
  17. 17. IntegrateNow Python-Barbicanclient from barbicanclient import client! Provides both a programmatic and command line interface to a Barbican instance. barbican_client = client.Client(endpoint='http://path-tobarbican', tenant_id='tenant_id_for_context')! ! ! Source Code & Documentation The documentation and source code both reside on GitHub in the CloudKeep organization. Blueprints and project documentation is on Launchpad. Integration Environment Barbican maintains an integration environment on Public Cloud for testing. Not for use in production deploys, but usable for testing / dev. barbican_client.secrets.store(name, payload, payload_content_type, payload_content_encoding, algorithm, bit_length, mode, expiration)! ! barbican_client.orders.create(name, payload_content_type, algorithm, bit_length, mode, expiration)! usage: keep [-h] [--no-auth | --os-auth-url <auth-url>]! "[--os-username <auth-user-name>] [--os-password <authpassword>] [--os-tenant-name <auth-tenant-name>] [--ostenant-id <tenant-id>] [--endpoint <barbican-url>]! "<entity> <action> ...!
  18. 18. ~ fin ~ #openstack-coudkeep github.com/cloudkeep barbican@lists.google.com

×