Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Barbican 1.0

D8077ba4ca770fa9669263c3633237d8?s=47 Jarret Raim
November 21, 2013

Barbican 1.0

A walkthrough of the first release of Barbican, the OpenStack key management platform.

D8077ba4ca770fa9669263c3633237d8?s=128

Jarret Raim

November 21, 2013
Tweet

Transcript

  1. Barbican1.0 Key management for the open cloud

  2. Jarret Raim & Matt Tesauro aboutus DEVELOPER ACADEMIC SECURITY ARCHITECT

    SECURITY CONSULTANT SECURITY PRODUCTS OWASP BOARD MEMBER OWASP LIVE CD OWASP WTE RACKER SINCE ‘11 PRODUCT SECURITY HACKING THE RACK
  3. Everyone writing code needs good key management CustomerS 57%! 19%!

    11%! 7%! 4%! 2%! 13%! 11%! 18%! 27%! 18%! 13%! 2%! 16%! 9%! 18%! 27%! 27%! Data Protection! Endpoint & Network Protection! Identity & Access Control! Application Security! Vulnerability & Incident Management! Configuration & Patch Management! Most important security technologies for a hoster to provide ! #1 Choice! #2 Choice! #3 Choice! 73% 46% 38% 52% 49% 42%
  4. Every OpenStack project has encryption needs OpenStack Swift & Glance

    Encrypted files at rest. Trove Encrypted databases and tables. Neutron SSL Certificates and VPN keys. Nova & Ironic SSH keys, encrypted file systems. Keystone Encrypted metadata, user level keys. Cinder Transparent volume encryption. Heat AES, SSH & SSL key management. Marconi Encrypted queue messages. Savanna Analytics on encrypted data. OSLO Support all the things.
  5. Customdev Settings Commonly exposed settings including credentials can be protected

    either through encryption or by storing the entire settings file. Encryption Keys Keys used to provide encryption for data at rest. SSL Keys SSL / TLS private keys. SSH Keys Keys used for access control.
  6. Transparent Encryption Federated Keys On-Premise Management InteractionMOdels Least secure Most

    secure
  7. Transparentencryption Public Private Consuming Service Customer Rackspace Public Private

  8. FEderatedKeys Public Private Consuming Service Customer Rackspace Barbican HSM Public

    Private
  9. OnPRemise Public Private Customer Rackspace Barbican HSM Public Private

  10. VagrantUp

  11. None
  12. KeySTorage All keys are encrypted with a tenant-level key encryption

    key (KEK). This key never leaves the HSM (if using one). The encrypted data encryption key (DEK) is stored in the Barbican data store. Barbican API Node Hardware Security Module Data Store KEK DEK DEK
  13. The keying material SecretResource POST v1/{tenant_id}/secrets! ! {! "name": "AES

    key",! "expiration": "2014-02-28T19:14:44.180394",! "algorithm": "aes",! "bit_length": 256,! "mode": "cbc",! "payload": "gF6+lLoF3ohA9aPRpt+6bQ==",! "payload_content_type": "application/octet- stream",! "payload_content_encoding": "base64"! }! GET v1/{tenant_id}/secrets/888b29a4-c7cf-49d0- bfdf-bd9e6f26d718! ! {! "status": "ACTIVE",! "updated": "2013-06-28T15:23:33.092660",! "name": "AES key",! "algorithm": "AES",! "mode": "cbc",! "bit_length": 256,! "content_types": {! "default": "application/octet-stream"! },! "expiration": "2013-05-08T16:21:38.134160",! "secret_href": "http://localhost:8080/ v1/12345/secrets/888b29a4-c7cf-49d0-bfdf- bd9e6f26d718",! }!
  14. The keying material OrdersResource POST v1/orders! ! {! "secret": {!

    "name": "secretname",! "algorithm": "AES",! "bit_length": 256,! "mode": "cbc",! "payload_content_type": "application/octet- stream"! }! }! GET v1/orders/f9b633d-…-80289e! ! {! "secret": {! "name": "secretname",! "algorithm": "aes",! "bit_length": 256,! "mode": "cbc",! "payload_content_type": "application/octet- stream"! },! "order_href": "http://localhost:8080/ v1/12345/orders/f9b633d8--5b2c9280289e",! "secret_href": "http://localhost:8080/ v1/12345/secrets/888b29a4-c7cf-49d0-bfdf- bd9e6f26d718"! }! !
  15. SwiftDemo Transparent encryption for object storage.

  16. portcullisproxy Key Per File Portcullis currently uses a single key

    per encrypted file. This is to deal with copy between container semantics in Swift. Filename & Container Names We don’t currently encrypt filenames and container names. This is to ensure that all tools that expect Swift semantics still work. HMAC /verify resource We currently use AES-CBC with HMAC. We’ll move to GCM as soon as the code is stable. We have a new /verify resource that clients can use to check integrity. Flow Control Pyrox performs the necessary flow control functionality that needs to happen to keep the proxy from being overwhelmed. Pyrox is a HTTP reverse proxy that can intercept requests ahead of an upstream HTTP REST service. This allows reuse of common middleware functions like: message enhancement, dynamic routing, authentication, authorization, resource request rate limiting, service distribution, content negotiation and content transformation. These services can then be scaled horizontally separate the origin REST endpoint.
  17. Futurework KMIP Support There is a possibility that a Python

    KMIP client will be open-sourced by Safenet soon. If so, we’ll integrate it, if not, we’ll build our own. SSL / TLS Barbican will support the provisioning of SSL certificates from internal and external CAs. Federation Support for federated keys in both Barbican to Barbican and Barbican to HSM configurations. Integrations Barbican will help teams integrate to provide encryption services.
  18. IntegrateNow Python-Barbicanclient Provides both a programmatic and command line interface

    to a Barbican instance. Source Code & Documentation The documentation and source code both reside on GitHub in the CloudKeep organization. Blueprints and project documentation is on Launchpad. Integration Environment Barbican maintains an integration environment on Public Cloud for testing. Not for use in production deploys, but usable for testing / dev. from barbicanclient import client! ! barbican_client = client.Client(endpoint='http://path-to- barbican', tenant_id='tenant_id_for_context')! ! barbican_client.secrets.store(name, payload, payload_content_type, payload_content_encoding, algorithm, bit_length, mode, expiration)! ! barbican_client.orders.create(name, payload_content_type, algorithm, bit_length, mode, expiration)! usage: keep [-h] [--no-auth | --os-auth-url <auth-url>]! "[--os-username <auth-user-name>] [--os-password <auth- password>] [--os-tenant-name <auth-tenant-name>] [--os- tenant-id <tenant-id>] [--endpoint <barbican-url>]! "<entity> <action> ...!
  19. ~ fin ~ #openstack-coudkeep github.com/cloudkeep barbican@lists.google.com

  20. Something aboutus It is a long established fact that a

    reader will be distracted by the readable content of a page when looking at its layout. The point of using Lorem Ipsum is that it has a more-or-less normal distribution of letters, as opposed to using 'Content here, content here', making it look like readable English. Many desktop publishing packages and web page editors now use Lorem Ipsum as their default model text, and a search for 'lorem ipsum' will uncover many web sites still in their infancy. Various versions have evolved over the years, sometimes by accident, sometimes on purpose (injected humour and the like). There are many variations of passages of Lorem Ipsum available, but the majority have suffered alteration in some form, by injected humour, or randomised words which don't look even slightly believable. If you are going to use a passage of Lorem Ipsum, you need to be sure there isn't anything embarrassing hidden in the middle of text. For more information please visit your website: www.rework.com www.rework.com rework@mail.com (987) 124-5678 98 East Street, New York, NY 12345
  21. What we do ourservices Web design There are many variations

    of passages of Lorem Ipsum available, but the majority have suffered alteration in some form. Graphic design If you are going to use a passage of Lorem Ipsum, you need to be sure there isn't anything embarrassing hidden in the middle of text. Seo Services There are many variations of passages of Lorem Ipsum available, but the majority have suffered alteration in some form. 3d Modeling If you are going to use a passage of Lorem Ipsum, you need to be sure there isn't anything embarrassing hidden in the middle of text. The point of using Lorem Ipsum is that it has a more-or-less normal distributionof letters, as opposed to using 'Content here, content here', making it look like readable English. www.rework.com rework@mail.com (987) 124-5678 98 East Street, New York, NY 12345
  22. Our members meettheteam Jeson Norak Managing Director There are many

    variations of passages of Lorem Ipsum available, but the majority have suffered alteration in some form, by injected humour, or randomised words which don't look even slightly believable. Mike Anderson Graphic Designer All the Lorem Ipsum generators on the Internet tend to repeat predefined chunks as necessary, making this the first true generator on the Internet. It uses a dictionary of over 200 Latin words, combined with a handful of model sentence structures. Alex Mitchel Executive Manager Contrary to popular belief, Lorem Ipsum is not simply random text. It has roots in a piece of classical Latin literature from 45 BC, making it over 2000 years old. Helena Bloomberg Creative Director It is a long established fact that a reader will be distracted by the readable content of a page when looking at its layout. The point of using Lorem Ipsum is that it has a more-or-less normal distribution of letters. www.rework.com rework@mail.com (987) 124-5678 98 East Street, New York, NY 12345
  23. The content numericlist 1.  It is a long established fact

    that a reader will be distracted by the readable content of a page when looking at its layout. 2.  The point of using Lorem Ipsum is that it has a more-or- less normal distribution of letters, as opposed to using 'Content here, content here', making it look like readable English. Many desktop publishing packages and web page editors now use Lorem Ipsum as their default model text, and a search for 'lorem ipsum' will uncover many web sites still in their infancy. 3.  Various versions have evolved over the years, sometimes by accident, sometimes on purpose (injected humour and the like). 4.  There are many variations of passages of Lorem Ipsum available, but the majority have suffered alteration in some form, by injected humour, or randomised words which don't look even slightly believable. If you are going to use a passage of Lorem Ipsum, you need to be sure there isn't anything embarrassing hidden in the middle of text. 5.  If you are going to use a passage of Lorem Ipsum, you need to be sure there isn't anything embarrassing hidden in the middle of text. www.rework.com rework@mail.com (987) 124-5678 98 East Street, New York, NY 12345
  24. The content bulletlist •  It is a long established fact

    that a reader will be distracted by the readable content of a page when looking at its layout. •  The point of using Lorem Ipsum is that it has a more-or- less normal distribution of letters, as opposed to using 'Content here, content here', making it look like readable English. Many desktop publishing packages and web page editors now use Lorem Ipsum as their default model text, and a search for 'lorem ipsum' will uncover many web sites still in their infancy. •  Various versions have evolved over the years, sometimes by accident, sometimes on purpose (injected humour and the like). •  There are many variations of passages of Lorem Ipsum available, but the majority have suffered alteration in some form, by injected humour, or randomised words which don't look even slightly believable. If you are going to use a passage of Lorem Ipsum, you need to be sure there isn't anything embarrassing hidden in the middle of text. •  If you are going to use a passage of Lorem Ipsum, you need to be sure there isn't anything embarrassing hidden in the middle of text. www.rework.com rework@mail.com (987) 124-5678 98 East Street, New York, NY 12345
  25. Samples of columnchart Sales There are many variations of passages

    of Lorem Ipsum available, but the majority have suffered alteration. It is a long established fact that a reader will be distracted by the readable content of a page when looking at its layout. The point of using Lorem Ipsum is that it has a more- or-less normal distribution of letters, as opposed to using 'Content here, content here', making it look like readable English. www.rework.com rework@mail.com (987) 124-5678 98 East Street, New York, NY 12345 0 25 50 75 100 2008 2009 2010 2011
  26. Samples of piechart WEB DESIGN There are many variations of

    passages of Lorem Ipsum available, but the majority have. Mobile It is a long established fact that a reader will be distracted by the readable content of a page when looking. SEO Services The point of using Lorem Ipsum is that it has a more-or-less normal distribution. 3d Modeling Many desktop publishing packages and web page editors now use Lorem Ipsum. Graphic design Various versions have evolved over the years, sometimes by accident, sometimes on purpose. www.rework.com rework@mail.com (987) 124-5678 98 East Street, New York, NY 12345 35% 29% 21% 8% 7% Web Design Mobile Seo Services 3D Modeling Graphic Design
  27. Gallery ourshowcase Lorem Ipsum Web Design There are many variations

    of passages of Lorem Ipsum available, but the majority have suffered alteration in some form, by injected humour, or randomised words which don't look even slightly believable. Duis autem Graphic Design All the Lorem Ipsum generators on the Internet tend to repeat predefined chunks as necessary, making this the first true generator on the Internet. It uses a dictionary of over 200 Latin words, combined with a handful of model sentence structures. Mirum est notare Mobile Contrary to popular belief, Lorem Ipsum is not simply random text. It has roots in a piece of classical Latin literature from 45 BC, making it over 2000 years old. Eodem modo typi 3d Modeling It is a long established fact that a reader will be distracted by the readable content of a page when looking at its layout. The point of using Lorem Ipsum is that it has a more-or-less normal distribution of letters. www.rework.com rework@mail.com (987) 124-5678 98 East Street, New York, NY 12345
  28. Gallery ourshowcase Lorem Ipsum Duis autem Mirum est notare Eodem

    modo typi Mirum est notare Eodem modo typi Lorem Ipsum Duis autem www.rework.com rework@mail.com (987) 124-5678 98 East Street, New York, NY 12345
  29. Case study ourwork PROJECT There are many variations of passages

    of Lorem Ipsum available, but the majority have. Client Rework Network Company Description It is a long established fact that a reader will be distracted by the readable content of a page when looking at its layout. Various versions have evolved over the years, sometimes by accident, sometimes on purpose (injected humour and the like). www.rework.com rework@mail.com (987) 124-5678 98 East Street, New York, NY 12345
  30. Case study ourwork PROJECT There are many variations of passages

    of Lorem Ipsum available, but the majority have. Client Rework Network Company Description It is a long established fact that a reader will be distracted by the readable content of a page when looking at its layout. Various versions have evolved over the years, sometimes by accident, sometimes on purpose (injected humour and the like). www.rework.com rework@mail.com (987) 124-5678 98 East Street, New York, NY 12345
  31. Samples of tabledata The point of using Lorem Ipsum is

    that it has a more-or-less normal distributionof letters, as opposed to using 'Content here, content here', making it look like readable English. www.rework.com rework@mail.com (987) 124-5678 98 East Street, New York, NY 12345 No. Title Value 1 Web Design 35 2 Graphic Design 29 3 Mobile 21 4 Seo Services 8 5 3D Modeling 7 6 Logo 5
  32. Get in touch contactus It is a long established fact

    that a reader will be distracted by the readable content of a page when looking at its layout. Adress 98 East Street, New York, NY 12345 Phone (987) 124-5678 Website www.rework.com Website rework@mail.com www.rework.com rework@mail.com (987) 124-5678 98 East Street, New York, NY 12345 facebook.com/rework twitter.com/rework
  33. Goodluck!