Creation of a Babrican Plugin to use HP Atalla ESKM.

Include the URL of your launchpad blueprint:

https://blueprints.launchpad.net/barbican/+spec/hp-eskm-plugin

This effort will enhance Barbican by adding a crypto plugin to allow use of Atalla ESKM from HP. Atalla ESKM is a HSM appliance for generating and managing cryptographic keys. By adding an optional plugin to Barbican, users have the option of integrating OpenStack with existing or new Atalla ESKM installations.

Problem Description

Deployers of an OpenStack cloud may have, or wish to have an Atalla ESKM Appliance for key management. In this case, it is desirable to utilise the appliance alongside the new OpenStack installation for enhanced security.

Proposed Change

The proposed changes to Barbican are, creation of an optional plugin to talk to an ESKM appliance. This plugin will be based of off the CryptoPlugin base and encapsulate all necessary functionality. The plugin will communicate over a secure network link to a remote appliance using a vendor specific protocol.

No changes to the core of Barbican are required.

Alternatives

Alternatively, Atalla ESKM supports the KMIP industry standard protocol for key exchange. KMIP is something planned for Barbican in the future but at the time of writing has not yet been implemented.

Data model impact

None

REST API impact

None

Security impact

This change touches sensitive data (tokens, keys, and user data) since it will pass key data through to an ESKM server and receive the results prior to encryption. User data is protected using a key encryption key and 256 bit AES CBC encryption. The key encryption key is never stored and is fetched on demand from the ESKM appliance.

This change utilises encryption algorithms from the ‘cryptography’ python module but does not introduce any additional cryptographic dependencies into Barbican.

This change requires a network connection to be established between Barbican and an ESKM appliance. This connection is protected using TLSv1 and client identification certificates. Key material is transmitted over this connection.

Notifications & Audit Impact

None

Other end user impact

None

Performance Impact

A performance impact is introduced by this change, communication over a network link to a remote ESKM appliance may take time. This is multiplied by the need to request a key encryption key from ESKM as part of all requests. This performance impact is accepted in return for the improved security gained by not caching the key encryption key locally.

Other deployer impact

The following new config options are added, they are specific to the plugin and need not be used otherwise. All options live within the ‘eskm_crypto_plugin’ group.

Option Meaning
eskm_crypto_plugin.crt_file_path ESKM client certificate file path.
eskm_crypto_plugin.key_file_path ESKM client key file.
eskm_crypto_plugin.key_password ESKM client key password.
eskm_crypto_plugin.user_name ESKM user name.
eskm_crypto_plugin.user_pass ESKM user password.
eskm_crypto_plugin.eskm_host ESKM host IPs, comma separated.
eskm_crypto_plugin.eskm_port ESKM port number.

Developer impact

None

Implementation

Assignee(s)

Primary assignee:
tim-kelsey
Other contributors:
None

Work Items

  • Create spec (this spec).
  • Write the plugin and tests.
  • Confirm all Barbican tests, new and old, still pass.
  • Review the code.

Dependencies

No compulsory dependencies are introduced, but an Atalla ESKM appliance must be available if a deployer wishes to use this plugin.

Testing

A suite of unit tests will be produced to test the new code.

Documentation Impact

Documentation may need updating to reflect the existence of the plugin and its configuration options.

References

None