Archive

Archive for the ‘Openstack’ Category

OpenStack Barbican & HSM Flow

December 28, 2016 Leave a comment

I assume you know what Hardware Security Module in short HSM is… if not https://en.wikipedia.org/wiki/Hardware_security_module

HSM Limitations

  • Maximum 20 partitions/slots (eg: Luna HSM)
    • Enough space to hold an RSA key-pair
    • Default total storage space on the HSM is 2 MB (upgrade to 15MB)
  • Only limited number of keys can be stored
  • Performance subject to network latency, scale and HSM performance

Barbican is an Openstack module for storing secrets. I’ll write few blog posts on Barbican PoC later. Barbican + HSM can make a great combination for storing your cloud secrets to meet security and PCI based compliance requirements. Not wasting time, here is how integration flow looks like…

barbican_hsm_flow

High-Level flow of Barbican & HSM integration

  • MKEK (Master Key Encryption Key) is global key to Barbican
  • Project level unique KEK stored in Barbican (in fact encrypted KEK is stored)
  • Data Encryption Keys (DEK) stored in Barbican (in fact encrypted DEK is stored)
  • MKEK wraps every project’s unique KEK
  • KEK wraps project’s DEK

 

Advertisements