Setting Up
getpostman.com
Freenode IRC: #barbican-workshop
https://etherpad.openstack.org/p/
barbican-workshop-qa
Barbican: Securing Your Secrets
Freenode IRC:
#barbican-workshop
Who We Are
Chelsea Winfree
@chellygel
IRC: chellygel
John Vrbanac
IRC: jmvrbanac
+JohnVrbanac
Steven Heyman
@330cic
IRC: hockeynut
Freenode IRC:
#barbican-workshop
Barbican: Securing Your Secrets
Importance of Secret Storage
Why Barbican?
How do you use Barbican?
What is Barbican?
#barbican-workshop
Importance of Secret Storage
Key Management
Private Data
Trusted Data
#barbican-workshop
Key Management
Where are my keys?
#barbican-workshop
Key Management
#barbican-workshop
Key Management
#barbican-workshop
Private Data
Medical or Financial Records
Contracts
Surprise Birthday Party
Database Passwords
#barbican-workshop
Trusted Data
Who do you trust?
How do you know you can trust them?
SSL / TLS
Why Barbican?
Key Management
Private Data
Trusted Data
#barbican-workshop
Why Barbican?
Key Management
Where is your Key?
Where is your Data?
#barbican-workshop
Why Barbican?
MIIByjCCATMCAQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMR8w
HQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcwFQYDVQQDEw53d3cuZ29v
Z2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApZtYJCHJ4VpVXHfV
IlstQTlO4qC03hjX+ZkPyvdYd1Q4+qbAeTwXmCUKYHThVRd5aXSqlPzyIBwieMZr
WFlRQddZ1IzXAlVRDWwAo60KecqeAXnnUK+5fXoTI/UgWshre8tJ+x/TMHaQKR/J
cIWPhqaQhsJuzZbvAdGA80BLxdMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAIhl
4PvFq+e7ipARgI5ZM+GZx6mpCz44DTo0JkwfRDf+BtrsaC0q68eTf2XhYOsq4fkH
Q0uA0aVog3f5iJxCa3Hp5gxbJQ6zV6kJ0TEsuaaOhEko9sdpCoPOnRBm2i/XRD2D
6iNh8f8z0ShGsFqjDgFHyF3o+lUyj+UC6H1QW7bnEncryption and Decryption is hard!
Private Data
#barbican-workshop
Why Barbican?
Trusted Data
Managed Private Key
Secure Certificate
Trust Built
#barbican-workshop
What is Barbican?
Open Source
Python
REST API
Incubated in OpenStack
Key Management System
Tools of the Trade
Secret
Order
Container
Setting Up
https://www.getpostman.com/
Freenode IRC:
#barbican-workshop
https://etherpad.openstack.org/p/
barbican-workshop-qa
#barbican-workshop
Using Barbican
#barbican-workshop
Authentication
Keystone
Get an Auth Token
Verify Auth Token
Makes Request w/ Token
Returns Response
#barbican-workshop
Authentication
POST http://workshop-lon-auth.cloudkeep.io/v2.0/tokens
Content-Type: application/json
Accept: application/json
BODY:
{
"auth": {
"passwordCredentials": {
"username": "{YOUR_USERNAME}",
"password": "{YOUR_PASSWORD}"
},
"tenantName": "{YOUR_TENANT_NAME}"
}
}
RESPONSE:
{
"access": {
"token": {
"id": "{YOUR_AUTH_TOKEN}",
"expires": "2014-10-10T22:23:47Z",
"issued_at": "2014-10-10T21:23:47.498474"
},
----------------- snip ----------------
}
}Exercise A-1
#barbican-workshop
Secrets
A singular item that lives inside Barbican
Metadata
Payload
Content Type
Algorithm
Bit Length
Name
Mode
Expiration Date
Plain Text
Base 64
Raw Binary*
#barbican-workshop
Create a Secret
POST http://workshop-lon-api.cloudkeep.io/v1/secrets
Content-Type: application/json
X-Auth-Token: {YOUR_AUTH_TOKEN}
BODY:
{
"name": "Super secret thing",
"expiration": "2014-12-28T19:14:44.180394",
"payload": "beer",
"payload_content_type": "text/plain"
}
RESPONSE:
{
"secret_ref": "http://workshop-lon-api.cloudkeep.io/v1/secrets/fe0eac05-8eff-4eff-81e3-16e2e640241b"
}Exercise S-1
#barbican-workshop
Retrieve Secret Metadata
GET http://workshop-lon-api.cloudkeep.io/v1/secrets/{YOUR_SECRET_UUID}
X-Auth-Token: {YOUR_AUTH_TOKEN}
RESPONSE:
{
"created": "2014-10-10T19:44:57.833424",
"updated": "2014-10-10T19:44:57.838825",
"expiration": "2014-10-28T19:14:44.180394",
"mode": null,
"name": "Super secret thing",
"status": "ACTIVE",
"algorithm": null,
"bit_length": null,
"secret_ref": "http://workshop-lon-api.cloudkeep.io/v1/secrets/{YOUR_SECRET_UUID}",
"content_types": {
"default": "text/plain"
}
}Exercise S-2
#barbican-workshop
Retrieve Secret Payload
GET http://workshop-lon-api.cloudkeep.io/v1/secrets/{YOUR_SECRET_UUID}
Accept: text/plain
X-Auth-Token: {YOUR_AUTH_TOKEN}
RESPONSE:
beer
Exercise S-3
#barbican-workshop
Retrieve a List of Secrets
GET http://workshop-lon-api.cloudkeep.io/v1/secrets
X-Auth-Token: {YOUR_AUTH_TOKEN}
RESPONSE:
{
"next": "http://workshop-lon-api.cloudkeep.io/v1/secrets?limit=10&offset=10",
"secrets": [
{
"algorithm": null,
"bit_length": null,
"content_types": {
"default": "text/plain"
},
"created": "2014-10-10T02:35:42.463513",
"expiration": "2014-10-28T19:14:44.180394",
"mode": null,
"name": "Super secret thing",
"secret_ref": "http://workshop-lon-api.cloudkeep.io/v1/secrets/{SECRET_UUID}",
"status": "ACTIVE",
"updated": "2014-10-10T02:35:42.470646"
},
--------------- snip -------------------
],
"total": 3803
}Exercise S-4
Deleting a Secret
DELETE http://workshop-lon-api.cloudkeep.io/v1/secrets/{YOUR_SECRET_UUID}
X-Auth-Token: {YOUR_AUTH_TOKEN}Exercise S-5
#barbican-workshop
Can You Keep A Secret?
Create a Secret
Retrieve Secret Metadata
Retrieve a List of Secrets
Delete a Secret
Retrieve Secret Payload
Orders
Singular action that will generate a secret
Asynchronously encapsulates workflow and history of secret creation.
Example: SSL Certificates
#barbican-workshop
Creating an Order
POST http://workshop-lon-api.cloudkeep.io/v1/orders
Content-Type: application/json
X-Auth-Token: {YOUR_AUTH_TOKEN}
BODY:
{
"type": "key",
"meta": {
"mode": "cbc",
"bit_length": 256,
"name": "secretname",
"algorithm": "aes",
"payload_content_type": "application/octet-stream"
}
}
RESPONSE:
{
"order_ref": "http://workshop-lon-api.cloudkeep.io/v1/orders/{YOUR_ORDER_UUID}"
}Exercise O-1
#barbican-workshop
Get an Order
GET http://workshop-lon-api.cloudkeep.io/v1/orders/{YOUR_ORDER_UUID}
X-Auth-Token: {YOUR_AUTH_TOKEN}
RESPONSE:
{
"status": "ACTIVE",
"type": "key",
"meta": {
"algorithm": "aes",
"bit_length": 256,
"mode": "cbc",
"payload_content_type": "application/octet-stream"
},
"order_ref": "http://workshop-lon-api.cloudkeep.io/v1/orders/{YOUR_ORDER_UUID}",
"secret_ref": "http://workshop-lon-api.cloudkeep.io/v1/secrets/{CREATED_SECRET_UUID}",
"created": "2014-10-10T19:43:09.828927",
"updated": "2014-10-10T19:43:09.864890"
}Exercise O-2
#barbican-workshop
Get a List of Orders
GET http://workshop-lon-api.cloudkeep.io/v1/orders
X-Auth-Token: {YOUR_AUTH_TOKEN}
RESPONSE:
{
"next": "http://workshop-lon-api.cloudkeep.io/v1/orders?limit=10&offset=10",
"orders": [
{
"status": "ACTIVE",
"type": "key",
"meta": {
"algorithm": "aes",
"bit_length": 256,
"expiration": null,
"mode": "cbc",
"name": "secretname"
},
"order_ref": "http://workshop-lon-api.cloudkeep.io/v1/orders/{ORDER_UUID}",
"secret_ref": "http://workshop-lon-api.cloudkeep.io/v1/secrets/{SECRET_UUID}",
"created": "2014-10-10T02:47:48.564067",
"updated": "2014-10-10T02:47:48.591162"
},
-------------- snip ------------
],
"total": 3803
}Exercise O-3
Delete an Order
DELETE http://workshop-lon-api.cloudkeep.io/v1/orders/{YOUR_ORDER_UUID}
X-Auth-Token: {YOUR_AUTH_TOKEN}Exercise O-4
#barbican-workshop
Following Orders
Create an Order
GET an Order
Get a List of Orders
Delete an Order
#barbican-workshop
Containers
Stores a reference (or references) to secrets
3 Types of Containers:
Generic
RSA
Certificate
Example RSA Container:
Private Key
Public Key
Private Key Passphrase
#barbican-workshop
Creating a Container
POST http://workshop-lon-api.cloudkeep.io/v1/containers
X-Auth-Token: {YOUR_AUTH_TOKEN}
Content-Type: application/json
BODY:
{
"type": "generic",
"name": "Pitcher",
"secret_refs": [
{
"name": "private_key",
"secret_ref":"http://workshop-lon-api.cloudkeep.io/v1/secrets/{A_SECRET_UUID}"
}
]
}
RESPONSE:
{
"container_ref": "http://workshop-lon-api.cloudkeep.io/v1/containers/{YOUR_CONTAINER_UUID}"
}Exercise C-1
#barbican-workshop
Get a Container
GET http://workshop-lon-api.cloudkeep.io/v1/containers/{YOUR_CONTAINER_UUID}
X-Auth-Token: {YOUR_AUTH_TOKEN}
RESPONSE:
{
"status": "ACTIVE",
"type": "generic",
"name": "container name",
"consumers": [],
"secret_refs": [
{
"name": "private_key",
"secret_ref": "http://workshop-lon-api.cloudkeep.io/v1/secrets/{SECRET_UUID}"
}
],
"container_ref": "http://workshop-lon-api.cloudkeep.io/v1/containers/{YOUR_CONTAINER_UUID}",
"created": "2014-10-10T19:36:42.313216",
"updated": "2014-10-10T19:36:42.313225"
}Exercise C-2
#barbican-workshop
Get a List of Containers
GET http://workshop-lon-api.cloudkeep.io/v1/containers
X-Auth-Token: {YOUR_AUTH_TOKEN}
RESPONSE:
{
"next": "http://workshop-ord-api.cloudkeep.io/v1/containers?limit=10&offset=10",
"containers": [
{
"status": "ACTIVE",
"type": "generic",
"name": "container name",
"consumers": [],
"secret_refs": [
{
"name": "private_key",
"secret_ref": "http://workshop-lon-api.cloudkeep.io/v1/secrets/{SECRET_UUID}"
}
],
"container_ref": "http://workshop-lon-api.cloudkeep.io/v1/containers/{CONTAINER_UUID}",
"created": "2014-10-10T19:36:42.313216",
"updated": "2014-10-10T19:36:42.313225"
},
------------------ snip ----------------------
],
"total": 2102
}Exercise C-3
Delete a Container
DELETE http://workshop-lon-api.cloudkeep.io/v1/containers/{YOUR__UUID}
X-Auth-Token: {YOUR_AUTH_TOKEN}Exercise C-4
#barbican-workshop
Contain Yourself!
Create a Container
GET a Container
Get a List of Containers
Delete a Container
#barbican-workshop
Wrap-Up and Questions
#barbican-workshop
Important Information
https://github.com/openstack/barbican/
http://slides.com/chellygel/barbican-storing-secrets/
@chellygel
https://etherpad.openstack.org/p/barbican-workshop-qa
@330cic
barbican-storing-secrets
By chellygel
barbican-storing-secrets
Barbican: Storing Your Secrets.
