Barbican: Securing Your Secrets

Barbican: Securing Your Secrets

Importance of Secret Storage

Why Barbican?

The Future of Barbican

How do you use Barbican?

What is Barbican?

Importance of Secret Storage

Key Management

Private Data

Trusted Data

Key Management

Where are my keys?

Importance of Secret Storage

Key Management

Importance of Secret Storage

Private Data

Medical or Financial Records

Importance of Secret Storage

Contracts

Surprise Birthday Party

Business Emails

Database Passwords

Trusted Data

Importance of Secret Storage

Who do you trust?

How do you know you can trust them?

SSL / TLS  Websites

Why Barbican?

Key Management

Private Data

Trusted Data

Why Barbican?

Key Management

Where do you store your Key & Data?

How do you store Key & Data?

Why Barbican?

MIIByjCCATMCAQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMR8w
HQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcwFQYDVQQDEw53d3cuZ29v
Z2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApZtYJCHJ4VpVXHfV
IlstQTlO4qC03hjX+ZkPyvdYd1Q4+qbAeTwXmCUKYHThVRd5aXSqlPzyIBwieMZr
WFlRQddZ1IzXAlVRDWwAo60KecqeAXnnUK+5fXoTI/UgWshre8tJ+x/TMHaQKR/J
cIWPhqaQhsJuzZbvAdGA80BLxdMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAIhl
4PvFq+e7ipARgI5ZM+GZx6mpCz44DTo0JkwfRDf+BtrsaC0q68eTf2XhYOsq4fkH
Q0uA0aVog3f5iJxCa3Hp5gxbJQ6zV6kJ0TEsuaaOhEko9sdpCoPOnRBm2i/XRD2D
6iNh8f8z0ShGsFqjDgFHyF3o+lUyj+UC6H1QW7bn

Encryption and Decryption is hard!

Private Data

Why Barbican?

Trusted Data

Managed Private Key = Secure Certificate = Trust Built

What is Barbican?

Open Source

Python

REST API

OpenStack

Key Management System

Your Data

Your Barbican

What is Barbican?

Your Key

Tools of the Trade

Secret

Order

Container

How to Store & Retrieve Secrets

How to Submit
an Order

How to Create a Container

How do you use Barbican?

How to Store & Retrieve Secrets

How do you use Barbican?

curl -X POST -H 'content-type:application/json' 
-H 'X-Project-Id:12345' 
-d '{"payload": "my-secret-here", "payload_content_type": "text/plain"}'
http://localhost:9311/v1/secrets

-> {"secret_ref": "http://localhost:9311/v1/secrets/2a549393-0710-444b-8aa5-84cf0f85ea79"}

Create a Secret

Python Barbican Client

How to Store & Retrieve Secrets

How do you use Barbican?

curl -H 'Accept: text/plain'
-H 'X-Project-Id: 12345' 
http://localhost:9311/v1/secrets/2a549393-0710-444b-8aa5-84cf0f85ea79

-> my-secret-here

Retrieve a Secret

Python Barbican Client

How do you use Barbican?

curl -X POST -H 'content-type:application/json'
-H 'X-Project-Id: 12345' 
-d '{ "secret": 
        {"name": "secretname",
        "algorithm": "aes",
        "bit_length": 256, 
        "mode": "cbc",
        "payload_content_type": "application/octet-stream"
    }
}'
http://localhost:9311/v1/orders

-> {"order_ref": "http://localhost:9311/v1/orders/62d57f53-ecfe-4ae4-87bd-fab2f24e29bc"}

Create an Order

Python Barbican Client

How to Submit
an Order

How do you use Barbican?

curl -H 'X-Project-Id: 12345' 
http://localhost:9311/v1/orders/62d57f53-ecfe-4ae4-87bd-fab2f24e29bc

->  {"status": "ACTIVE",
    "secret_ref": "http://localhost:9311/v1/secrets/2df8d196-76b6-4f89-a6d2-c9e764900791",
    "updated": "2013-11-04T16:39:13.608659",
    "created": "2013-11-04T16:39:13.574489",
    "secret": {
        "name": "secretname",
        "algorithm": "aes",
        "payload_content_type": "application/octet-stream",
        "expiration": null,
        "bit_length": 256,
        "mode": "cbc"
    },
    "order_ref": "http://localhost:9311/v1/orders/62d57f53-ecfe-4ae4-87bd-fab2f24e29bc"
}

Verify Order Exists

Python Barbican Client

How to Submit
an Order

How do you use Barbican?

curl -H 'X-Project-Id: 12345'
http://localhost:9311/v1/secrets/2df8d196-76b6-4f89-a6d2-c9e764900791

-> {"status": "ACTIVE",
    "secret_ref": "http://localhost:9311/v1/secrets/2df8d196-76b6-4f89-a6d2-c9e764900791",
    "updated": "2013-11-04T16:39:13.593962",
    "name": "secretname",
    "algorithm": "aes",
    "created": "2013-11-04T16:39:13.593956",
    "content_types": {
        "default": "application/octet-stream"
    },
    "mode": "cbc",
    "bit_length": 256,
    "expiration": null
}

Retrieve Secret Metadata from an Order

Python Barbican Client

How to Submit
an Order

How do you use Barbican?

curl -H 'Accept: application/octet-stream' 
-H 'X-Project-Id: 12345'
http://localhost:9311/v1/secrets/2df8d196-76b6-4f89-a6d2-c9e764900791

-> �l6[F���#��r�|gd�fe~���

Retrieve Generated Secret

Python Barbican Client

How to Submit
an Order

How to Store & Retrieve Secrets

How do you use Barbican?

curl -X POST
-H 'content-type:application/json'
-H 'X-Project-Id:12345'
-d '{}'
http://localhost:9311/v1/secrets

-> {"secret_ref": "http://localhost:9311/v1/secrets/2a549393-0710-444b-8aa5-84cf0f85ea79"}

Create a 2-Step Secret

Python Barbican Client

How to Store & Retrieve Secrets

How do you use Barbican?

curl -X PUT 
-H 'content-type:text/plain'
-H 'X-Project-Id:12345'
-d 'my-secret-here' 
http://localhost:9311/v1/secrets/2a549393-0710-444b-8aa5-84cf0f85ea79

Update a 2-Step Secret

Python Barbican Client

How to Store & Retrieve Secrets

How do you use Barbican?

curl -H 'Accept: text/plain' 
-H 'X-Project-Id:12345'
http://localhost:9311/v1/secrets/2a549393-0710-444b-8aa5-84cf0f85ea79

-> my-secret-here

Retrieve a 2-Step Secret

Python Barbican Client

How to Create a Container

How do you use Barbican?

Create a Container

Python Barbican Client

curl -H 'content-type:application/json'
-H 'X-Project-Id:12345'
-d '{
    "name": "My Container",
    "type": "generic",
    "secret_refs": [
    {
        "name": "My First Secret",
        "secret_ref": "http://localhost:9311/v1/secrets/2a549393-0710-444b-8aa5-84cf0f85ea79"
    }
  ]
}'
http://localhost:9311/v1/containers

->  {"container_ref": "http://localhost:9311/v1/containers/5d21e081-df32-4c6b-8e72-fe11f20a0327"}

How to Create a Container

How do you use Barbican?

Retrieve a Container

Python Barbican Client

curl -X GET -H 'X-Project-Id:12345' http://localhost:9311/v1/containers/13edacaf-9c23-4330-b111-bb47d4866478

-> 
{
    "status": "ACTIVE",
    "updated": "2014-10-02T14:53:13.488094",
     "name": "My Container",
     "consumers": [],
     "created": "2014-10-02T14:53:13.488084",
     "container_ref": "http://localhost:9311/v1/containers/13edacaf-9c23-4330-b111-bb47d4866478",
     "secret_refs": [
        {
            "secret_ref": "http://localhost:9311/v1/secrets/ed7ffb86-25a4-4ed8-a46a-17de7d29d121",
            "name": "My First Secret"
        }
    ],
    "type": "generic"
}

The Future

SSL / TLS Certificates

Federated Keys

Key Splitting

Wrap-Up and Questions

Important Information

https://github.com/openstack/barbican/

http://slides.com/chellygel/barbican-storing-secrets/#/

Freenode IRC: #openstack-barbican

https://pypi.python.org/pypi/python-barbicanclient

Copy of barbican-storing-secrets

By chellygel

Made with Slides.com

Copy of barbican-storing-secrets

Barbican: Storing Your Secrets.

  • 821

More from chellygel