Introduction into Keymanager

In this article, the basic concept of OpenStack Barbican key manager explained. this includes the uses and options.

Introduction

To protect your data in a public cloud encryption becomes more important every day. One could think of encrypting traffic between clients and servers with https, encrypting volumes or just encrypting valuable key/value pairs. OpenStack Barbican provides a REST API designed for the secure storage, provisioning and management of secrets such as passwords, encryption keys and X.509 Certificates.


Use cases

Although the OpenStack key manager can be used to store secrets and raw binary data, it is most used to store Symmetric Keys, Asymmetric Keys and Certificates for other OpenStack services to use.

HTTPS Load balancer

With OpenStack Octavia, it is possible to create a high available load balancer. To allow the load balancer to encrypt http traffic with certificates, both private keys, intermediate and server certificates can be stored in barbican to be accessed by Octavia. On the creation, restart or update of an Octavia load balancer with terminated https, Octavia will request the certificates from Barbican.

Encrypted volumes

We can use Barbican to manage Block storage (cinder) encryption keys. LUKS is used to encrypt the data on the disks attached to your instances. The keys for the disk encryption are automatically generated by cinder and securely stored in barbican. When attaching an encrypted volume to an instance, nova retrieves the key from barbican and provides it to the compute proces on the compute node. Create a volume

Inner workings

Just like most OpenStack projects, barbican can be used with an API. The barbican API can be used to store and retreive secrets. When providing barbican with a secret for example a private key, barbican will encrypt the keys before storing them in a database. The encryption for the secrets is configurable through plugins and most cloud providers use Hardware Security Modules (or HSMs) to securely protects your cryptographic keys, but at the same time makes them easily accessible. When retrieved, barbican will decrypt the secrets and provide them to you or the service requesting the secrets. Barbican makes use of OpenStack Keystone to validate if a user is allowed to store and retrieve secrets.


Conclusion

A keymanager can be an essential part to protect your cloud infrastructure. The OpenStack barbican keymanager service provides secure storage, provisioning and management of secrets, such as passwords, encryption keys, etc.