Home > General, Openstack > OpenStack Barbican & HSM Flow

OpenStack Barbican & HSM Flow

I assume you know what Hardware Security Module in short HSM is… if not https://en.wikipedia.org/wiki/Hardware_security_module

HSM Limitations

  • Maximum 20 partitions/slots (eg: Luna HSM)
    • Enough space to hold an RSA key-pair
    • Default total storage space on the HSM is 2 MB (upgrade to 15MB)
  • Only limited number of keys can be stored
  • Performance subject to network latency, scale and HSM performance

Barbican is an Openstack module for storing secrets. I’ll write few blog posts on Barbican PoC later. Barbican + HSM can make a great combination for storing your cloud secrets to meet security and PCI based compliance requirements. Not wasting time, here is how integration flow looks like…


High-Level flow of Barbican & HSM integration

  • MKEK (Master Key Encryption Key) is global key to Barbican
  • Project level unique KEK stored in Barbican (in fact encrypted KEK is stored)
  • Data Encryption Keys (DEK) stored in Barbican (in fact encrypted DEK is stored)
  • MKEK wraps every project’s unique KEK
  • KEK wraps project’s DEK


  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: