2. Jarret Raim & Matt Tesauro
aboutus
ACADEMIC
DEVELOPER
SECURITY
CONSULTANT
SECURITY
ARCHITECT
OWASP BOARD MEMBER
OWASP LIVE CD
OWASP WTE
RACKER SINCE ‘11
PRODUCT SECURITY
SECURITY
PRODUCTS
HACKING THE RACK
3. Everyone writing code needs good key management
CustomerS
Most important security technologies for a hoster to provide !
Data Protection!
57%!
Endpoint & Network Protection!
19%!
Identity & Access Control!
13%!
11%!
11%!
9%!
73%
46%
16%!
18%!
2%!
#1 Choice!
38%
#2 Choice!
Application Security!
Vulnerability & Incident Management!
Configuration & Patch Management!
7%!
27%!
4%!
2%!
18%!
18%!
13%!
49%
27%!
27%!
52%
42%
#3 Choice!
4. Every OpenStack project has encryption needs
OpenStack
Swift & Glance
Cinder
Encrypted files at rest.
Transparent volume encryption.
Trove
Heat
Encrypted databases and tables.
AES, SSH & SSL key management.
Neutron
Marconi
SSL Certificates and VPN keys.
Encrypted queue messages.
Nova & Ironic
Savanna
SSH keys, encrypted file systems.
Analytics on encrypted data.
Keystone
OSLO
Encrypted metadata, user level keys.
Support all the things.
5. Customdev
Settings
Commonly exposed settings including credentials can be
protected either through encryption or by storing the entire
settings file.
Encryption Keys
Keys used to provide encryption for data at rest.
SSL Keys
SSL / TLS private keys.
SSH Keys
Keys used for access control.
16. portcullisproxy
Pyrox is a HTTP reverse proxy that can intercept requests ahead of an upstream HTTP REST service. This allows
reuse of common middleware functions like: message enhancement, dynamic routing, authentication,
authorization, resource request rate limiting, service distribution, content negotiation and content transformation.
These services can then be scaled horizontally separate the origin REST endpoint.
Key Per File
HMAC /verify resource
Portcullis currently uses a single key per encrypted file.
This is to deal with copy between container semantics in
Swift.
We currently use AES-CBC with HMAC. We’ll move to
GCM as soon as the code is stable. We have a new /verify
resource that clients can use to check integrity.
Filename & Container Names
Flow Control
We don’t currently encrypt filenames and container names.
This is to ensure that all tools that expect Swift semantics
still work.
Pyrox performs the necessary flow control functionality that
needs to happen to keep the proxy from being
overwhelmed.
17. Futurework
KMIP Support
There is a possibility that a Python KMIP client will
be open-sourced by Safenet soon. If so, we’ll
integrate it, if not, we’ll build our own.
SSL / TLS
Barbican will support the provisioning of SSL
certificates from internal and external CAs.
Federation
Support for federated keys in both Barbican to
Barbican and Barbican to HSM configurations.
Integrations
Barbican will help teams integrate to provide
encryption services.
18. IntegrateNow
Python-Barbicanclient
from barbicanclient import client!
Provides both a programmatic and command
line interface to a Barbican instance.
barbican_client = client.Client(endpoint='http://path-tobarbican', tenant_id='tenant_id_for_context')!
!
!
Source Code & Documentation
The documentation and source code both reside
on GitHub in the CloudKeep organization.
Blueprints and project documentation is on
Launchpad.
Integration Environment
Barbican maintains an integration environment
on Public Cloud for testing. Not for use in
production deploys, but usable for testing / dev.
barbican_client.secrets.store(name, payload,
payload_content_type, payload_content_encoding,
algorithm, bit_length, mode, expiration)!
!
barbican_client.orders.create(name, payload_content_type,
algorithm, bit_length, mode, expiration)!
usage: keep [-h] [--no-auth | --os-auth-url <auth-url>]!
"[--os-username <auth-user-name>] [--os-password <authpassword>] [--os-tenant-name <auth-tenant-name>] [--ostenant-id <tenant-id>] [--endpoint <barbican-url>]!
"<entity> <action> ...!