Keeping OpenStack Secrets Safe With Barbican

While previous OpenStack summits have debated the merits and relevance of Barbican, a ReST API designed for the secure storage, provisioning and management of secrets, this week’s summit in Vancouver will reflect its maturity as a bonafide OpenStack project.

Until recently, discussions around Barbican were introductory in nature, whereas now, people are interested in how they can integrate it into their projects and workflows.

Because it’s a solid option for the protection and secure storage of sensitive information, Barbican has found favor with OpenStack developers, who are constantly on the lookout for new ways to keep secrets and sensitive data safe.

This is exemplified through Cloud Keep, a soon-to-be deployed Rackspace product based on Barbican, which allows users to build a secure, cloud-ready key management system that can help manage sensitive information – including symmetric keys and asymmetric keys, as well as raw secrets.

By utilizing Barbican, Cloud Keep users are able to offload confidential or sensitive aspects of their OpenStack projects for secure storage.

These projects can replace sensitive information such as database passwords with unique hyperlinks, which are securely stored in Barbican for later retrieval. Barbican encrypts that sensitive information with dedicated encryption devices such as hardware security modules (HSMs), providing an enhanced level of security.

Barbican can also generate sensitive information, including anything from Advanced Encryption Standard (AES) keys for disk encryption to public key encryption certificates used to secure servers and load balancers.

Along these lines, the Rackspace Barbican team as well as outside contributors will give two presentations and two design sessions at the upcoming Liberty summit. The first, entitled “State of SSL/TLS in Barbican,” emphasizes how clients, projects and enterprises can integrate with Barbican to ease the management of Transport Layer Security (TLS ) certificates. Rackspace would like to utilize this feature to assist with our customers’ certificate management needs. Presenters include myself, John Wood, an architect on Barbican, as well as former Racker Sheena Gregson, Senior Product Manager with Mirantis, and Ade Lee, Principal Engineer with Red Hat.

The second presentation, entitled “Common Use Cases and Options for Barbican in Your Openstack Deployment,“ highlights several other OpenStack projects that are currently integrating with Barbican for secure data storage. This compliments our efforts to onboard internal Rackspace customers for Barbican. Presenters include Rackers Douglas Mendizábal, Project Team Leader (PTL) of Barbican, and Adam Harwell, core developer on the Octavia and Neutron projects. Former Rackers John Dickenson, PTL with Swift, and Sheena Gregson, will also assist with the presentation.

The Barbican team will also host two design sessions, the first of which will dive deeper into Castellan, a lightweight adapter library that helps OpenStack projects talk to Barbican. The second session will work through outstanding blueprints needed to complete the SSL/TLS certificate management feature set.

Away from these events, much face-to-face discussion will take place with our contributors as we plan out the next six months of work until the next summit in Tokyo. Determining who can add code for which feature is an important outcome of the summits, and is an opportunity for Rackspace to land features we can utilize, such as certificate management.


Please enter your comment!
Please enter your name here