Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 2. Managing secrets and keys with OpenStack Key Manager (barbican)
You use OpenStack Key Manager to create, update, and delete secrets and encryption keys. You can also back up and restore the encryption keys and the barbican database. It is recommended that you regularly back up your encryption keys and barbican database.
2.1. Viewing secrets
To view the list of secrets, run the openstack secret list command. The list includes the URI, name, type, and other information about the secrets.
Procedure
View the list of secrets:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
2.2. Creating a secret
To create a secret, run the openstack secret store command and specify the name of the secret and optionally the payload for the secret.
Procedure
Create a secret. For example:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
2.3. Adding a payload to a secret
You cannot change the payload of a secret (other than deleting the secret), but if you created a secret without specifying a payload, you can later add a payload to it by using the openstack secret update command.
Procedure
Add a payload to a secret:
openstack secret update https://192.168.123.163:9311/v1/secrets/ca34a264-fd09-44a1-8856-c6e7116c3b16 'TestPayload-updated'
$ openstack secret update https://192.168.123.163:9311/v1/secrets/ca34a264-fd09-44a1-8856-c6e7116c3b16 'TestPayload-updated' $Copy to Clipboard Copied! Toggle word wrap Toggle overflow
2.4. Deleting a secret
To delete a secret, run the openstack secret delete command and specify the secret URI.
Procedure
Delete a secret with the specified URI:
openstack secret delete https://192.168.123.163:9311/v1/secrets/ecc7b2a4-f0b0-47ba-b451-0f7d42bc1746
$ openstack secret delete https://192.168.123.163:9311/v1/secrets/ecc7b2a4-f0b0-47ba-b451-0f7d42bc1746 $Copy to Clipboard Copied! Toggle word wrap Toggle overflow
2.5. Generating a symmetric key
To generate a symmetric key, use the order create command and then store the key in barbican. You can then use symmetric keys for certain tasks, such as nova disk encryption and swift object encryption.
Prerequisites
- OpenStack Key Manager is installed and running
Procedure
Generate a new 256-bit key using
order createand store it in barbican. For example:Copy to Clipboard Copied! Toggle word wrap Toggle overflow You can also use the
--modeoption to configure generated keys to use a particular mode, such asctrorcbc. For more information, see NIST SP 800-38A.View the details of the order to identify the location of the generated key, shown here as the
Secret hrefvalue:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Retrieve the details of the secret:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
2.6. Backing up simple crypto encryption keys
To backup simple crypto encryption keys, back up the barbican.conf file that contains the main KEK to a security hardened location, and then back up the barbican database.
The procedure includes steps to generate a test secret and key. If you already generated a key for your secrets, skip the test key steps and use the key that you generated.
Prerequisites
- OpenStack Key Manager is installed and running
- You have a security hardened location for the KEK backup
Procedure
On the overcloud, generate a new 256-bit key and store it in barbican:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create a test secret:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Confirm that the test secret is created:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow -
Copy the
barbican.conffile that contains the main KEK to a security hardened location. Log in to the
controller-0node and retrieve barbican user password:sudo grep -r "barbican::db::mysql::password" /etc/puppet/hieradata
[tripleo-admin@controller-0 ~]$ sudo grep -r "barbican::db::mysql::password" /etc/puppet/hieradata /etc/puppet/hieradata/service_configs.json: "barbican::db::mysql::password": "seDJRsMNRrBdFryCmNUEFPPev",Copy to Clipboard Copied! Toggle word wrap Toggle overflow NoteOnly the user barbican has access to the barbican database. So the barbican user password is required to backup or restore the database.
Back up the barbican database:
mysqldump -u barbican -p"seDJRsMNRrBdFryCmNUEFPPev" barbican > barbican_db_backup.sql
[tripleo-admin@controller-0 ~]$ mysqldump -u barbican -p"seDJRsMNRrBdFryCmNUEFPPev" barbican > barbican_db_backup.sqlCopy to Clipboard Copied! Toggle word wrap Toggle overflow Check that the database backup is stored in
/home/tripleo-admin:ll
[tripleo-admin@controller-0 ~]$ ll total 36 -rw-rw-r--. 1 tripleo-admin tripleo-admin 36715 Jun 19 18:31 barbican_db_backup.sqlCopy to Clipboard Copied! Toggle word wrap Toggle overflow On the overcloud, delete the secrets you created previously and verify that they no longer exist:
openstack secret delete http://10.0.0.104:9311/v1/secrets/93f62cfd-e008-401f-be74-bf057c88b04a openstack secret delete http://10.0.0.104:9311/v1/secrets/f664b5cf-5221-47e5-9887-608972a5fefb openstack secret list
(overcloud) [stack@undercloud-0 ~]$ openstack secret delete http://10.0.0.104:9311/v1/secrets/93f62cfd-e008-401f-be74-bf057c88b04a (overcloud) [stack@undercloud-0 ~]$ openstack secret delete http://10.0.0.104:9311/v1/secrets/f664b5cf-5221-47e5-9887-608972a5fefb (overcloud) [stack@undercloud-0 ~]$ openstack secret list (overcloud) [stack@undercloud-0 ~]$Copy to Clipboard Copied! Toggle word wrap Toggle overflow
2.7. Restoring simple crypto encryption keys from a backup
To restore the barbican database from a backup, log in to the Controller node with barbican permissions and restore the barbican database. To restore the KEK from a backup, override the barbican.conf file with the backup file.
Prerequisites
- OpenStack Key Manager is installed and running
-
You have an existing backup of the
barbican.conffile and the barbican database
Procedure
Log in to the
controller-0node and check that you have thebarbicandatabase on the controller that grants access to thebarbicanuser to restore the database:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Restore the backup file to the
barbicandatabase:sudo mysql -u barbican -p"seDJRsMNRrBdFryCmNUEFPPev" barbican < barbican_db_backup.sql
[tripleo-admin@controller-0 ~]$ sudo mysql -u barbican -p"seDJRsMNRrBdFryCmNUEFPPev" barbican < barbican_db_backup.sql [tripleo-admin@controller-0 ~]$Copy to Clipboard Copied! Toggle word wrap Toggle overflow -
Override the
barbican.conffile with the file that you previously backed up.
Verification
On the overcloud, verify that the test secrets were restored successfully:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}