红帽全球峰会此内容没有您所选择的语言版本。
Chapter 4. Managing secrets in barbican
4.1. Listing secrets
Secrets are identified by their URI, indicated as a href value. This example shows the secret you created in the previous step:
4.2. Adding new secrets
Create a test secret. For example:
4.3. Updating secrets
You cannot change the payload of a secret (other than deleting the secret), but if you initially created a secret without specifying a payload, you can later add a payload to it by using the update function. For example:
openstack secret update https://192.168.123.163:9311/v1/secrets/ca34a264-fd09-44a1-8856-c6e7116c3b16 'TestPayload-updated'
$ openstack secret update https://192.168.123.163:9311/v1/secrets/ca34a264-fd09-44a1-8856-c6e7116c3b16 'TestPayload-updated'
$4.4. Deleting secrets
You can delete a secret by specifying its URI. For example:
openstack secret delete https://192.168.123.163:9311/v1/secrets/ecc7b2a4-f0b0-47ba-b451-0f7d42bc1746
$ openstack secret delete https://192.168.123.163:9311/v1/secrets/ecc7b2a4-f0b0-47ba-b451-0f7d42bc1746
$4.5. Generate a symmetric key
Symmetric keys are suitable for certain tasks, such as nova disk encryption and swift object encryption.
Generate a new 256-bit key using
order createand store it in barbican. For example:Copy to Clipboard Copied! Toggle word wrap Toggle overflow -
--mode- Generated keys can be configured to use a particular mode, such asctrorcbc. For more information, see NIST SP 800-38A.
-
View the details of the order to identify the location of the generated key, shown here as the
Secret hrefvalue:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Retrieve the details of the secret:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
4.6. Backup and Restore Keys
The process for backup and restore of encryption keys will vary depending on the type of back end:
4.6.1. Backup and restore the simple crypto back end
Two separate components need to be backed up for simple crypto back end: the KEK and the database. It is recommended that you regularly test your backup and restore process.
4.6.1.1. Backup and restore the KEK
For the simple crypto back end, you need to backup the barbican.conf file that contains the master KEK is written. This file must be backed up to a security hardened location. The actual data is stored in the Barbican database in an encrypted state, described in the next section.
-
To restore the key from a backup, you need to copy the restored
barbican.confover the existingbarbican.conf.
4.6.1.2. Backup and restore the back end database
This procedure describes how to backup and restore a barbican database for the simple crypto back end. To demonstrate this, you will generate a key and upload the secrets to barbican. You will then backup the barbican database, and delete the secrets you created. You will then restore the database and confirm that the secrets you created earlier have been recovered.
Be sure you are also backing up the KEK, as this is also an important requirement. This is described in the previous section.
4.6.1.2.1. Create the test secret
On the overcloud, generate a new 256-bit key using
order createand store it in barbican. For example:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create a test secret:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Confirm that the secrets were created:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
4.6.1.2.2. Backup the barbican database
Run these steps while logged in to the controller-0 node.
Only the user barbican has access to the barbican database. So the barbican user password is required to backup or restore the database.
Retrieve barbican user password. For example:
sudo grep -r "barbican::db::mysql::password" /etc/puppet/hieradata
[heat-admin@controller-0 ~]$ sudo grep -r "barbican::db::mysql::password" /etc/puppet/hieradata /etc/puppet/hieradata/service_configs.json: "barbican::db::mysql::password": "seDJRsMNRrBdFryCmNUEFPPev",Copy to Clipboard Copied! Toggle word wrap Toggle overflow Backup the barbican database:
mysqldump -u barbican -p"seDJRsMNRrBdFryCmNUEFPPev" barbican > barbican_db_backup.sql
[heat-admin@controller-0 ~]$ mysqldump -u barbican -p"seDJRsMNRrBdFryCmNUEFPPev" barbican > barbican_db_backup.sqlCopy to Clipboard Copied! Toggle word wrap Toggle overflow Database backup is stored in /home/heat-admin
ll
[heat-admin@controller-0 ~]$ ll total 36 -rw-rw-r--. 1 heat-admin heat-admin 36715 Jun 19 18:31 barbican_db_backup.sqlCopy to Clipboard Copied! Toggle word wrap Toggle overflow
4.6.1.2.3. Delete the test secrets
On the overcloud, delete the secrets you created previously, and verify they no longer exist. For example:
openstack secret delete http://10.0.0.104:9311/v1/secrets/93f62cfd-e008-401f-be74-bf057c88b04a openstack secret delete http://10.0.0.104:9311/v1/secrets/f664b5cf-5221-47e5-9887-608972a5fefb openstack secret list
(overcloud) [stack@undercloud-0 ~]$ openstack secret delete http://10.0.0.104:9311/v1/secrets/93f62cfd-e008-401f-be74-bf057c88b04a (overcloud) [stack@undercloud-0 ~]$ openstack secret delete http://10.0.0.104:9311/v1/secrets/f664b5cf-5221-47e5-9887-608972a5fefb (overcloud) [stack@undercloud-0 ~]$ openstack secret list (overcloud) [stack@undercloud-0 ~]$Copy to Clipboard Copied! Toggle word wrap Toggle overflow
4.6.1.2.4. Restore the databases
Run these steps while logged in to the controller-0 node.
Make sure you have the barbican database on the controller which grants access to the
barbicanuser for database restoration:Copy to Clipboard Copied! Toggle word wrap Toggle overflow
9) Restore the backup file to the barbican database:
+
sudo mysql -u barbican -p"seDJRsMNRrBdFryCmNUEFPPev" barbican < barbican_db_backup.sql
[heat-admin@controller-0 ~]$ sudo mysql -u barbican -p"seDJRsMNRrBdFryCmNUEFPPev" barbican < barbican_db_backup.sql
[heat-admin@controller-0 ~]$4.6.1.2.5. Verify the restore process
On the overcloud, verify that the test secrets were restored successfully:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}