OpenStack Barbican Integration

OpenStack Barbican can be used as a secure key management service for Server-Side Encryption.

../../_images/rgw-encryption-barbican.png

  1. Configure Keystone

  2. Create a Keystone user

  3. Configure the Ceph Object Gateway

  4. Create a key in Barbican

Configure Keystone

Barbican depends on Keystone for authorization and access control of its keys.

See OpenStack Keystone Integration.

Create a Keystone user

Create a new user that will be used by the Ceph Object Gateway to retrieve keys.

For example:

  1. user = rgwcrypt-user
  2. pass = rgwcrypt-password
  3. tenant = rgwcrypt

See OpenStack documentation for Manage projects, users, and roles.

Create a key in Barbican

See Barbican documentation for How to Create a Secret. Requests to Barbican must include a valid Keystone token in the X-Auth-Token header.

Note

Server-side encryption keys must be 256-bit long and base64 encoded.

Example request:

  1. POST /v1/secrets HTTP/1.1
  2. Host: barbican.example.com:9311
  3. Accept: */*
  4. Content-Type: application/json
  5. X-Auth-Token: 7f7d588dd29b44df983bc961a6b73a10
  6. Content-Length: 299
  7. {
  8. "name": "my-key",
  9. "expiration": "2016-12-28T19:14:44.180394",
  10. "algorithm": "aes",
  11. "bit_length": 256,
  12. "mode": "cbc",
  13. "payload": "6b+WOZ1T3cqZMxgThRcXAQBrS5mXKdDUphvpxptl9/4=",
  14. "payload_content_type": "application/octet-stream",
  15. "payload_content_encoding": "base64"
  16. }

Response:

  1. {"secret_ref": "http://barbican.example.com:9311/v1/secrets/d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723"}

In the response, d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723 is the key id that can be used in any SSE-KMS request.

This newly created key is not accessible by user rgwcrypt-user. This privilege must be added with an ACL. See How to Set/Replace ACL for more details.

Example request (assuming that the Keystone id of rgwcrypt-user is 906aa90bd8a946c89cdff80d0869460f):

  1. PUT /v1/secrets/d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723/acl HTTP/1.1
  2. Host: barbican.example.com:9311
  3. Accept: */*
  4. Content-Type: application/json
  5. X-Auth-Token: 7f7d588dd29b44df983bc961a6b73a10
  6. Content-Length: 101
  7. {
  8. "read":{
  9. "users":[ "906aa90bd8a946c89cdff80d0869460f" ],
  10. "project-access": true
  11. }
  12. }

Response:

  1. {"acl_ref": "http://barbican.example.com:9311/v1/secrets/d1e7ef3b-f841-4b7c-90b2-b7d90ca2d723/acl"}

Configure the Ceph Object Gateway

Edit the Ceph configuration file to enable Barbican as a KMS and add information about the Barbican server and Keystone user:

  1. rgw crypt s3 kms backend = barbican
  2. rgw barbican url = http://barbican.example.com:9311
  3. rgw keystone barbican user = rgwcrypt-user
  4. rgw keystone barbican password = rgwcrypt-password

When using Keystone API version 2:

  1. rgw keystone barbican tenant = rgwcrypt

When using API version 3:

  1. rgw keystone barbican project
  2. rgw keystone barbican domain