Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 12. Managing secrets and keys with OpenStack Key Manager (barbican)
Manage secrets and encryption keys in Red Hat OpenStack Services on OpenShift (RHOSO) to centralize sensitive data management. Using the Key Manager service (barbican) enables you to securely store, provision and manage your secret data, ensuring that this critical information remains protected from unauthorized access.
You can use OpenStack Key Manager service to create, update, and delete secrets and encryption keys.
12.1. About the Red Hat OpenStack Services on OpenShift Key Manager Operator (barbican)
Understand the Red Hat OpenStack Services on OpenShift (RHOSO) Key Manager Operator (barbican). This Operator manages the Key Manager service in the system and is installed and active by default.
The OpenStack Key Manager service (barbican) is the secrets manager for Red Hat OpenStack Services on OpenShift (RHOSO). An OpenStack administrator can use the Key Manager API and command line to centrally manage the certificates, keys, and passwords used by OpenStack. The RHOSO Key Manager service integrates with the Block Storage (cinder), Networking (neutron), and Compute (nova) services.
Secrets such as certificates, API keys, and passwords, are stored in the Key Manager service database or directly in a secure storage system. In RHOSO 18.0 the simple crypto plug-in is available to encrypt secrets.
OpenStack Key Manager supports the following use cases:
Symmetric encryption keys
- Block Storage (cinder) volume encryption
- Object Storage (swift) encryption
- Ephemeral disk encryption
Asymmetric keys and certificates
- Image service (glance) image signing
- Image service (glance) image verification
12.2. Viewing secrets
View secrets in Red Hat OpenStack Services on OpenShift (RHOSO) to check stored information. This action allows you to review specific properties of the secrets to confirm they are configured correctly, such as their URI, name, type, and expiration.
You cannot view the payload content of the secrets.
Procedure
View the list of secrets:
$ openstack secret listFor example:
+------------------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+ | Secret href | Name | Created | Status | Content types | Algorithm | Bit length | Secret type | Mode | Expiration | +------------------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+ | https://192.168.123.169:9311/v1/secrets/24845e6d-64a5-4071-ba99-0fdd1046172e | None | 2018-01-22T02:23:15+00:00 | ACTIVE | {u'default': u'application/octet-stream'} | aes | 256 | symmetric | None | None | +------------------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+
12.3. Creating a secret
Create a secret in Red Hat OpenStack Services on OpenShift (RHOSO) to store private information. This configuration saves your data in a secure location so that you can use it with your services.
You must specify the name of the secret and you can optionally specify its payload. Adding the payload attaches the actual content, like a certificate or key, to the secret metadata and ensures that services can retrieve and use the secured information.
You cannot change the payload of a secret, you can only delete it. If you create a secret without specifying a payload, then you can later add a payload to it by using the openstack secret update command.
Procedure
Create a secret:
$ openstack secret store --name testSecret --payload 'TestPayload'For example:
+---------------+------------------------------------------------------------------------------------+ | Field | Value | +---------------+------------------------------------------------------------------------------------+ | Secret href | https://192.168.123.163:9311/v1/secrets/ecc7b2a4-f0b0-47ba-b451-0f7d42bc1746 | | Name | testSecret | | Created | None | | Status | None | | Content types | None | | Algorithm | aes | | Bit length | 256 | | Secret type | opaque | | Mode | cbc | | Expiration | None | +---------------+------------------------------------------------------------------------------------+
12.4. Adding a payload to a secret
Add a payload to a secret in Red Hat OpenStack Services on OpenShift (RHOSO) to populate it with data. This updates an existing secret definition with the specific information you want to store in the environment.
You cannot change the payload of a secret, you can only delete it.
If you create a secret without specifying a payload, then you can add a payload to it by using the openstack secret update command.
Procedure
Add a payload to a secret that does not contain a payload yet:
$ openstack secret update https://192.168.123.163:9311/v1/secrets/ca34a264-fd09-44a1-8856-c6e7116c3b16 'TestPayload'
12.5. Deleting a secret
Delete a secret in Red Hat OpenStack Services on OpenShift (RHOSO) to remove sensitive data that is no longer needed. Permanently removing obsolete or compromised secrets from the Key Manager service (barbican) prevents unauthorized access and ensures that services stop using invalid credentials.
Procedure
You must specify the secret URI when deleting a secret:
TipYou can use this command
openstack secret listto obtain the URI of the secret.$ openstack secret delete https://192.168.123.163:9311/v1/secrets/ecc7b2a4-f0b0-47ba-b451-0f7d42bc1746
12.6. Generating a symmetric key
Generate a symmetric key in Red Hat OpenStack Services on OpenShift (RHOSO) to enable encryption for your services. Creating the key directly in the Key Manager service (barbican) ensures that the secret data is generated securely and stored immediately.
You can generate a symmetric key for specific tasks such as Compute service disk encryption and Object Storage service encryption.
Procedure
Generate a new 256-bit key using
order createand store it in the Key Manager service.$ openstack secret order create --name swift_key --algorithm aes --mode ctr --bit-length 256 --payload-content-type=application/octet-stream keyFor example:
+----------------+-----------------------------------------------------------------------------------+ | Field | Value | +----------------+-----------------------------------------------------------------------------------+ | Order href | https://192.168.123.173:9311/v1/orders/043383fe-d504-42cf-a9b1-bc328d0b4832 | | Type | Key | | Container href | N/A | | Secret href | None | | Created | None | | Status | None | | Error code | None | | Error message | None | +----------------+-----------------------------------------------------------------------------------+You can also use the
--modeoption to configure generated keys to use a particular mode, such asctrorcbc. For more information, see NIST SP 800-38A.View the details of the order to identify the location of the generated key, shown here as the
Secret hrefvalue:Example command:
$ openstack secret order get https://192.168.123.173:9311/v1/orders/043383fe-d504-42cf-a9b1-bc328d0b4832For example:
+----------------+------------------------------------------------------------------------------------+ | Field | Value | +----------------+------------------------------------------------------------------------------------+ | Order href | https://192.168.123.173:9311/v1/orders/043383fe-d504-42cf-a9b1-bc328d0b4832 | | Type | Key | | Container href | N/A | | Secret href | https://192.168.123.173:9311/v1/secrets/efcfec49-b9a3-4425-a9b6-5ba69cb18719 | | Created | 2018-01-24T04:24:33+00:00 | | Status | ACTIVE | | Error code | None | | Error message | None | +----------------+------------------------------------------------------------------------------------+Retrieve the details of the secret:
Example command:
$ openstack secret get https://192.168.123.173:9311/v1/secrets/efcfec49-b9a3-4425-a9b6-5ba69cb18719For example:
+---------------+------------------------------------------------------------------------------------+ | Field | Value | +---------------+------------------------------------------------------------------------------------+ | Secret href | https://192.168.123.173:9311/v1/secrets/efcfec49-b9a3-4425-a9b6-5ba69cb18719 | | Name | swift_key | | Created | 2018-01-24T04:24:33+00:00 | | Status | ACTIVE | | Content types | {u'default': u'application/octet-stream'} | | Algorithm | aes | | Bit length | 256 | | Secret type | symmetric | | Mode | ctr | | Expiration | None | +---------------+------------------------------------------------------------------------------------+
12.7. Encrypting Block Storage (cinder) volumes
Encrypt Block Storage (cinder) volumes in Red Hat OpenStack Services on OpenShift (RHOSO) to secure your storage resources. This configuration uses the Key Manager service (barbican) to secure volume contents, ensuring that information remains unreadable to unauthorized users even if the physical storage is compromised.
You can use the Key Manager service to manage your Block Storage service (cinder) encryption keys. This configuration uses LUKS to encrypt the disks attached to your instances, including boot disks.
Block Storage volume key management is transparent to the user; when you create a new volume using luks as the encryption type, the Block Storage service generates a symmetric key secret for the volume and stores it in the Key Manager service. When booting the instance or attaching an encrypted volume, the Compute service (nova) retrieves the key from the Key Manager service and stores the secret locally as a libvirt secret on the Compute node.
Procedure
Create a Block Storage volume template that uses encryption. When you create new volumes, they can be modeled off the settings you define here:
$ openstack volume type create --encryption-provider nova.volume.encryptors.luks.LuksEncryptor --encryption-cipher aes-xts-plain64 --encryption-key-size 256 --encryption-control-location front-end LuksEncryptor-Template-256For example:
+-------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | description | None | | encryption | cipher='aes-xts-plain64', control_location='front-end', encryption_id='9df604d0-8584-4ce8-b450-e13e6316c4d3', key_size='256', provider='nova.volume.encryptors.luks.LuksEncryptor' | | id | 78898a82-8f4c-44b2-a460-40a5da9e4d59 | | is_public | True | | name | LuksEncryptor-Template-256 | +-------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+Create a new Block Storage volume and specify that it uses the
LuksEncryptor-Template-256settings:$ openstack volume create --size 1 --type LuksEncryptor-Template-256 'Encrypted-Test-Volume'For example:
+---------------------+--------------------------------------+ | Field | Value | +---------------------+--------------------------------------+ | attachments | [] | | availability_zone | nova | | bootable | false | | consistencygroup_id | None | | created_at | 2018-01-22T00:19:06.000000 | | description | None | | encrypted | True | | id | a361fd0b-882a-46cc-a669-c633630b5c93 | | migration_status | None | | multiattach | False | | name | Encrypted-Test-Volume | | properties | | | replication_status | None | | size | 1 | | snapshot_id | None | | source_volid | None | | status | creating | | type | LuksEncryptor-Template-256 | | updated_at | None | | user_id | 0e73cb3111614365a144e7f8f1a972af | +---------------------+--------------------------------------+The resulting secret is automatically uploaded to the Key Manager service back end.
Ensure that you can see the Key Manager service secret UUID. This value is displayed in the
encryption_key_idfield.$ cinder --os-volume-api-version 3.64 volume show Encrypted-Test-VolumeFor example:
+------------------------------+-------------------------------------+ |Property |Value | +------------------------------+-------------------------------------+ |attached_servers |[] | |attachment_ids |[] | |availability_zone |nova | |bootable |false | |cluster_name |None | |consistencygroup_id |None | |created_at |2022-07-28T17:35:26.000000 | |description |None | |encrypted |True | |encryption_key_id |0944b8a8-de09-4413-b2ed-38f6c4591dd4 | |group_id |None | |id |a0b51b97-0392-460a-abfa-093022a120f3 | |metadata | | |migration_status |None | |multiattach |False | |name |vol | |os-vol-host-attr:host |hostgroup@tripleo_iscsi#tripleo_iscsi| |os-vol-mig-status-attr:migstat|None | |os-vol-mig-status-attr:name_id|None | |os-vol-tenant-attr:tenant_id |a2071ece39b3440aa82395ff7707996f | |provider_id |None | |replication_status |None | |service_uuid |471f0805-072e-4256-b447-c7dd10ceb807 | |shared_targets |False | |size |1 | |snapshot_id |None | |source_volid |None | |status |available | |updated_at |2022-07-28T17:35:26.000000 | |user_id |ba311b5c2b8e438c951d1137333669d4 | |volume_type |LUKS | |volume_type_id |cc188ace-f73d-4af5-bf5a-d70ccc5a401c | +------------------------------+-------------------------------------+NoteYou must use the
--os-volume-api-version 3.64parameter with the Block Storage servicecinderCLI to display theencryption_key_idvalue. There is no equivalentopenstackCLI command.Use the Key Manager service to confirm that the disk encryption key is present. In this example, the timestamp matches the LUKS volume creation time:
$ openstack secret listFor example:
+------------------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+ | Secret href | Name | Created | Status | Content types | Algorithm | Bit length | Secret type | Mode | Expiration | +------------------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+ | https://192.168.123.169:9311/v1/secrets/0944b8a8-de09-4413-b2ed-38f6c4591dd4 | None | 2018-01-22T02:23:15+00:00 | ACTIVE | {u'default': u'application/octet-stream'} | aes | 256 | symmetric | None | None | +------------------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+Attach the new Block Storage volume to an existing instance:
$ openstack server add volume testInstance Encrypted-Test-VolumeThe Block Storage volume is now available for you to mount to the guest file system.
12.8. Signing Image service (glance) images
Validate Image service (glance) images in Red Hat OpenStack Services on OpenShift (RHOSO) to ensure data integrity. Verifying signatures against trusted keys prevents the deployment of compromised images that have been modified by unauthorized users.
When you configure the Image service (glance) to validate images, you must sign those images before uploading them. Use the openssl command to sign an image with a key that is stored in the Key Manager service (barbican), and then upload the image to the Image service with the accompanying image properties. The signature of the image is verified before each use, and the instance build process fails if the signature does not match.
- Limitations
-
Signature verification is based on
openSSL _rsa_sig_verify(), which currently raises anInvalidSignatureexception in the Image service if the key length is not 1024. This issue occurs because of a regression in OpenSSL 3.0.7. Signature verification works correctly with key length 2048 and OpenSSL 3.0.2. - OpenSSL does not support the SHA256 algorithm. You must use SHA512 or greater to create a signed image.
-
Signature verification is based on
Procedure
Use the
opensslcommand to create the keys and the certificate:Create the private key:
$ openssl genrsa -out private_key.pem 1024Create the public key:
$ openssl rsa -pubout -in private_key.pem -out public_key.pemCreate the certificate:
$ openssl req -new -key private_key.pem -out cert_request.csrWhen prompted, enter details to include in your certificate request:
$ openssl x509 -req -days 14 -in cert_request.csr -signkey private_key.pem -out new_cert.crt
Upload the certificate to the Key Manager service, where it is stored in the
secret store:$ openstack secret store --name test --algorithm RSA --secret-type certificate \ --payload-content-type "application/octet-stream" \ --payload-content-encoding base64 \ --payload "$(base64 new_cert.crt)"For example:
+---------------+-----------------------------------------------------------------------+ | Field | Value | +---------------+-----------------------------------------------------------------------+ | Secret href | http://127.0.0.1:9311/v1/secrets/cd7cc675-e573-419c-8fff-33a72734a243 | +---------------+-----------------------------------------------------------------------+NoteRecord the certificate’s UUID for use in a later step. In this example, the UUID is
cd7cc675-e573-419c-8fff-33a72734a243.Retrieve an image and create a signature:
Retrieve an image:
$ echo <This is my image> > <myimage>Use
private_key.pemto sign the image and generate the.signaturefile. For example:$ openssl dgst -sha512 -sign private_key.pem -sigopt rsa_padding_mode:pss -out myimage.signature myimageConvert the
.signaturefile to Base64 format:$ base64 -w 0 myimage.signature > myimage.signature.b64Load the Base64 value into a variable to use when you upload the image:
$ image_signature=$(cat myimage.signature.b64)
Upload an image with valid signature properties to the Image service:
$ openstack image-create \ --name <my_signed_image> \ --container-format bare \ --disk-format qcow2 \ --property img_signature="$image_signature" \ --property img_signature_certificate_uuid="$cert_uuid" \ --property img_signature_hash_method='SHA-512' \ --property img_signature_key_type='RSA-PSS' < myimage
12.9. Validating snapshots
Validate snapshots in Red Hat OpenStack Services on OpenShift (RHOSO) to check for file issues. This process allows you to confirm that the backup files in your environment are correct before you use them.
Snapshots are saved as Image service (glance) images. If you configure the Compute service (nova) to check for signed images, then snapshots must by signed, even if they were created from an instance with a signed image.
Procedure
Download the snapshot from the Image service:
$ openstack image save --file <local_file_name> <snapshot_image_name>-
Replace
<local_file_name>with the file name of the downloaded image. -
Replace
<snapshot_image_name>with the name of your snapshot.
-
Replace
- Generate a signature to validate the snapshot. Use the same process that you use to generate a signature to validate an image. For more information, see Signing Image service (glance) images.
Update the snapshot image properties:
$ openstack image set \ --property img_signature="$image_signature" \ --property img_signature_certificate_uuid="<cd7cc675-e573-419c-8fff-33a72734a243>" \ --property img_signature_hash_method="SHA-512" \ --property img_signature_key_type="RSA-PSS" \ <snapshot_image_id>-
Replace
<cd7cc675-e573-419c-8fff-33a72734a243>with the UUID of the certificate for the image. -
Replace
<snapshot_image_id>with the ID of your snapshot.
-
Replace
Optional: Remove the downloaded Image service image from the filesystem:
$ rm <local_file_name>
12.10. Backing up simple crypto encryption keys
Back up encryption keys in Red Hat OpenStack Services on OpenShift (RHOSO) to prepare for disaster recovery. Exporting secrets from the Key Manager service (barbican) ensures that you can restore access to encrypted volumes if the primary system fails.
To backup simple crypto encryption keys, you must back up the Key Manager database and the BarbicanSimpleCryptoKek key that encrypts and decrypts values from the database. Store the key and Key Manager database in a security-hardened location.
Prerequisites
-
You have a security-hardened location for the
BarbicanSimpleCryptoKEKkey and Key Manager database.
Procedure
Retrieve the base64 decoded
BarbicanSimpleCryptoKEKvalue fromosp-secretand save it to a file calledkek.txt:$ oc get secret osp-secret -o yaml | grep BarbicanSimpleCryptoKEK | awk '{print $2}' | base64 -d > kek.txtRetrieve the Key Manager database root password:
$ DB_PASS=$(oc get secret osp-secret -o yaml | grep DbRootPassword | awk '{print $2}' | base64 -d)Use the Key Manager database root password to back up the barbican database:
$ oc exec -it openstack-galera-0 -- mysqldump -u root -p"${DB_PASS}" barbican > barbican_db_backup.sqlCheck that the database backup is stored in your current working directory:
$ ll total 36 -rw-rw-r--. 1 tripleo-admin tripleo-admin 36715 Jun 19 18:31 barbican_db_backup.sql-
Back up the
barbican_db_backup.sqlandkek.txtfiles to the security hardened location.
12.11. Restoring simple crypto encryption keys
Restore encryption keys in Red Hat OpenStack Services on OpenShift (RHOSO) to recover from a system failure. Importing backed-up secrets into the Key Manager service (barbican) enables you to regain access to encrypted volumes and ensure business continuity.
Restore the Key Manager database and the BarbicanSimpleCryptoKek password from a backup in order to restore simple crypto encryption keys.
Procedure
Encode your
BarbicanSimpleCryptoKekkey using base64 and write the resulting value into osp-secret:$ echo <barbican_key> | base64 YmFyYmljYW5fc2ltcGxlX2N5cHRvX2tlawo=Replace
<barbican_key>with theBarbicanSimpleCryptoKekkey that you want to restore.Open the
osp-secretsecret object for editing:$ oc edit secret osp-secretAdd the value from step 1 and save your changes:
.... BarbicanDatabasePassword: cGFzc3dvcmQK BarbicanPassword: cGFzc3dvcmQK BarbicanSimpleCryptoKEK: YmFyYmljYW5fc2ltcGxlX2N5cHRvX2tlawo= CeilometerPassword: cGFzc3dvcmQK CinderDatabasePassword: cGFzc3dvcmQK CinderPassword: cGFzc3dvcmQK DatabasePassword: cGFzc3dvcmQK ....Retrieve the Key Manager database root password:
DB_PASS=$(oc get secret osp-secret -o yaml | grep DbRootPassword | awk '{print $2}' | base64 -d)Restore the backup file to the Key Manager
barbicandatabase:$ oc exec openstack-galera-0 -- mysql -u root -p"${DB_PASS}" barbican < <sql_backup>Replace
<sql_backup>with the name of yourmysqldatabase backup file.For example:
Defaulted container "galera" out of: galera, mysql-bootstrap (init)
Verification
You can use the openstackclient pod to verify that the test secrets were restored successfully:
$ oc exec -n openstack -t openstackclient -- openstack secret list +------------------------------------------------------------------------+------------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+ | Secret href | Name | Created | Status | Content types | Algorithm | Bit length | Secret type | Mode | Expiration | +------------------------------------------------------------------------+------------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+ | http://10.0.0.104:9311/v1/secrets/93f62cfd-e008-401f-be74-bf057c88b04a | testSecret | 2018-06-19T18:25:25+00:00 | ACTIVE | {u'default': u'text/plain'} | aes | 256 | opaque | cbc | None | | http://10.0.0.104:9311/v1/secrets/f664b5cf-5221-47e5-9887-608972a5fefb | swift_key | 2018-06-19T18:24:40+00:00 | ACTIVE | {u'default': u'application/octet-stream'} | aes | 256 | symmetric | ctr | None | +------------------------------------------------------------------------+------------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+------------+
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}