-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I think that a Vault backend would only be valuable to folks who are already using Vault.
For deployers who don't yet have a key management solution, a Vault backend would not solve the problem of having to deploy yet another service. In fact it would make it worse since the deployer would have to deploy both Vault AND Barbican to get a working solution. It seems to me that it would create the same concerns that folks are having about deploying DogTag and Barbican to get a software-only solution. I do like Vault, and I think that some of the things they've done with the software-only configuration are pretty cool. I spent some time looking into what it would take to wire up Barbican to use Vault as a backend, and the tricky part is being able to map Keystone auth to one of Vault's many auth drivers. For my use case, the effort of sorting out the auth mapping between the two systems in addition to the overhead of running both Vault and Barbican seemed like a bigger task than improving the Simple Crypto driver to remove the encryption key from the conf file. - - Douglas On 1/17/17 7:49 AM, Dave McCowan (dmccowan) wrote: > > > On 1/16/17, 3:06 PM, "Ian Cordasco" <sigmaviru...@gmail.com> > wrote: > >> -----Original Message----- From: Dave McCowan (dmccowan) >> <dmcco...@cisco.com> Reply: OpenStack Development Mailing List >> (not for usage questions) <openstack-dev@lists.openstack.org> >> Date: January 16, 2017 at 13:03:41 To: OpenStack Development >> Mailing List (not for usage questions) >> <openstack-dev@lists.openstack.org> Subject: Re: [openstack-dev] >> [all] [barbican] [security] Why are projects trying to avoid >> Barbican, still? >>> Yep. Barbican supports four backend secret stores. [1] >>> >>> The first (Simple Crypto) is easy to deploy, but not >>> extraordinarily secure, since the secrets are encrypted using a >>> static key defined in the barbican.conf file. >>> >>> The second and third (PKCS#11 and KMIP) are secure, but require >>> an HSM as a hardware base to encrypt and/or store the secrets. >>> The fourth (Dogtag) is secure, but requires a deployment of >>> Dogtag to encrypt and store the secrets. >>> >>> We do not currently have a secret store that is both highly >>> secure and easy to deploy/manage. >>> >>> We, the Barbican community, are very open to any ideas, >>> blueprints, or patches on how to achieve this. In any of the >>> homegrown per-project secret stores, has a solution been >>> developed that solves both of these? >>> >>> >>> [1] >>> >>> http://docs.openstack.org/project-install-guide/key-manager/draft/ba rbica >>> >>> n- >>> backend.html >> >> So there seems to be a consensus that Vault is a good easy and >> secure solution to deploy. Can Barbican use that as a backend >> secret store? > > Adding a new secret store plugin for Vault would be a welcome > addition. We have documentation in our repo on how to write a new > plugin. [1] I can schedule some time at the PTG to plan for this > in Pike if there are interested developers. > > [1] > https://github.com/openstack/barbican/blob/master/doc/source/plugin/se cret_ > > store.rst > > > ______________________________________________________________________ ____ > > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJYf9jPAAoJEB7Z2EQgmLX7UQkQAKNFKOfAazPmzQGETKWuy2uP 9G86dGNrRO4PaFKO7asUgqmdtFiMfouTT8yayogT3vLokhOoQW4bBxLKunGQ4Un3 mVg5pYD8zwBtYTKd09WVLEYfiSdUSurKfA6gq/b3l0NC7fEp0zkx58Rzt1/ITW7H o+90ajghnfl2X6yfE+dudGody5aKoicDqxgzwh6YbIDwz6ZaGfwE9tUGJdQ4OJ1O YfG1I61JPvNz+r1RJeyREo0SEuNi0RMgWHqigu/H9QfOGNxJrfKGM1KC5TbAnMkA 82BmxNUw/hYQZsSk/beDqelH4JqZmywlMna9YAjLC9VrgvnmC7srHbQBLMsyavBH Zfv04kG30ucsauxQOni0YfbqhalSb+6wXJipwTdaetwTe2wiVltz1a9pscc/57r9 omBCoNUh+dS1uy8axRSE92oDw2ASfBEH7B5+NBLZ0Y8ZlfN8JU6BqY8cJdpzSSer CvmyLDiUE1MEYj2L05lPJXZnbiWSJK1FZNNXf6kuJBXfqsNz7QRkrwkVIS1a+Uke n4U8Fl9c3VlGiLanfnNGHgBOOG9lwL0/g1gc5JtCZYPaNRj/+TSLQBHfgm3SgtSG 6rmJCU7t4PLqdIylDN7uTSPgFX4BCU4yXY9IcfLiz0OLZmbFzsLLG/zYN2dc4iM5 uCpGu9rsziz1ujaTwneC =gIXT -----END PGP SIGNATURE----- __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev