1. Barbican1.0
Key management for the open cloud

2. Jarret Raim & Matt Tesauro
aboutus
ACADEMIC
DEVELOPER
SECURITY
CONSULTANT
SECURITY
ARCHITECT
OWASP BOARD MEMBER
OWASP LIVE CD
OWASP WTE
RACKER SINCE ‘11
PRODUCT SECURITY
SECURITY
PRODUCTS
HACKING THE RACK

3. Everyone writing code needs good key management
CustomerS
Most important security technologies for a hoster to provide !
Data Protection!
57%!
Endpoint & Network Protection!
19%!
Identity & Access Control!
13%!
11%!
11%!
9%!
73%
46%
16%!
18%!
2%!
#1 Choice!
38%
#2 Choice!
Application Security!
Vulnerability & Incident Management!
Configuration & Patch Management!
7%!
27%!
4%!
2%!
18%!
18%!
13%!
49%
27%!
27%!
52%
42%
#3 Choice!

4. Every OpenStack project has encryption needs
OpenStack
Swift & Glance
Cinder
Encrypted files at rest.
Transparent volume encryption.
Trove
Heat
Encrypted databases and tables.
AES, SSH & SSL key management.
Neutron
Marconi
SSL Certificates and VPN keys.
Encrypted queue messages.
Nova & Ironic
Savanna
SSH keys, encrypted file systems.
Analytics on encrypted data.
Keystone
OSLO
Encrypted metadata, user level keys.
Support all the things.

5. Customdev
Settings
Commonly exposed settings including credentials can be
protected either through encryption or by storing the entire
settings file.
Encryption Keys
Keys used to provide encryption for data at rest.
SSL Keys
SSL / TLS private keys.
SSH Keys
Keys used for access control.

6. InteractionMOdels
Transparent
Encryption
Least secure
Federated
Keys
On-Premise
Management
Most secure

7. Transparentencryption
Customer
Rackspace
Consuming
Service
Public
Public
Private
Private

8. FEderatedKeys
Customer
Rackspace
Consuming
Service
Public
Public
Private
Private

9. OnPRemise
Customer
Rackspace
Public
Public
Private
Private

10. VagrantUp

12. KeySTorage
DEK
Barbican API
Node
Hardware
Security
Module
Data Store
KEK
DEK
All keys are encrypted with a tenant-level key encryption key (KEK). This key never leaves the HSM (if
using one). The encrypted data encryption key (DEK) is stored in the Barbican data store.

13. The keying material
SecretResource
POST v1/{tenant_id}/secrets!
GET v1/{tenant_id}/secrets/888b29a4-c7cf-49d0bfdf-bd9e6f26d718!
!
{!
!
"name": "AES key",!
"expiration": "2014-02-28T19:14:44.180394",!
"algorithm": "aes",!
"bit_length": 256,!
"mode": "cbc",!
"payload": "gF6+lLoF3ohA9aPRpt+6bQ==",!
"payload_content_type": "application/octetstream",!
"payload_content_encoding": "base64"!
{!
"status": "ACTIVE",!
"updated": "2013-06-28T15:23:33.092660",!
"name": "AES key",!
"algorithm": "AES",!
"mode": "cbc",!
"bit_length": 256,!
"content_types": {!
"default": "application/octet-stream"!
},!
"expiration": "2013-05-08T16:21:38.134160",!
"secret_href": "http://localhost:8080/
v1/12345/secrets/888b29a4-c7cf-49d0-bfdfbd9e6f26d718",!
}!
}!

14. The keying material
OrdersResource
POST v1/orders!
GET v1/orders/f9b633d-…-80289e!
!
!
{!
{!
"secret": {!
"name": "secretname",!
"algorithm": "AES",!
"bit_length": 256,!
"mode": "cbc",!
"payload_content_type": "application/octetstream"!
}!
"secret": {!
"name": "secretname",!
"algorithm": "aes",!
"bit_length": 256,!
"mode": "cbc",!
"payload_content_type": "application/octetstream"!
},!
"order_href": "http://localhost:8080/
v1/12345/orders/f9b633d8--5b2c9280289e",!
"secret_href": "http://localhost:8080/
v1/12345/secrets/888b29a4-c7cf-49d0-bfdfbd9e6f26d718"!
}!
!
}!

15. SwiftDemo
Transparent encryption for object storage.

16. portcullisproxy
Pyrox is a HTTP reverse proxy that can intercept requests ahead of an upstream HTTP REST service. This allows
reuse of common middleware functions like: message enhancement, dynamic routing, authentication,
authorization, resource request rate limiting, service distribution, content negotiation and content transformation.
These services can then be scaled horizontally separate the origin REST endpoint.
Key Per File
HMAC /verify resource
Portcullis currently uses a single key per encrypted file.
This is to deal with copy between container semantics in
Swift.
We currently use AES-CBC with HMAC. We’ll move to
GCM as soon as the code is stable. We have a new /verify
resource that clients can use to check integrity.
Filename & Container Names
Flow Control
We don’t currently encrypt filenames and container names.
This is to ensure that all tools that expect Swift semantics
still work.
Pyrox performs the necessary flow control functionality that
needs to happen to keep the proxy from being
overwhelmed.

17. Futurework
KMIP Support
There is a possibility that a Python KMIP client will
be open-sourced by Safenet soon. If so, we’ll
integrate it, if not, we’ll build our own.
SSL / TLS
Barbican will support the provisioning of SSL
certificates from internal and external CAs.
Federation
Support for federated keys in both Barbican to
Barbican and Barbican to HSM configurations.
Integrations
Barbican will help teams integrate to provide
encryption services.

18. IntegrateNow
Python-Barbicanclient
from barbicanclient import client!
Provides both a programmatic and command
line interface to a Barbican instance.
barbican_client = client.Client(endpoint='http://path-tobarbican', tenant_id='tenant_id_for_context')!
!
!
Source Code & Documentation
The documentation and source code both reside
on GitHub in the CloudKeep organization.
Blueprints and project documentation is on
Launchpad.
Integration Environment
Barbican maintains an integration environment
on Public Cloud for testing. Not for use in
production deploys, but usable for testing / dev.
barbican_client.secrets.store(name, payload,
payload_content_type, payload_content_encoding,
algorithm, bit_length, mode, expiration)!
!
barbican_client.orders.create(name, payload_content_type,
algorithm, bit_length, mode, expiration)!
usage: keep [-h] [--no-auth | --os-auth-url <auth-url>]!
"[--os-username <auth-user-name>] [--os-password <authpassword>] [--os-tenant-name <auth-tenant-name>] [--ostenant-id <tenant-id>] [--endpoint <barbican-url>]!
"<entity> <action> ...!

19. ~ fin ~
#openstack-coudkeep
github.com/cloudkeep
barbican@lists.google.com