I think you'd do something like this (Note that I don't know off the top of my head the barbican CLI or openvpn cli switches... just pseudo-code):
oconf=$(mktemp -d /tmp/openvpnconfig.XXXXXX) mount -o tmpfs $oconf size=1M barbican get my-secret-openvpn-conf > $oconf/foo.conf openvpn --config-dir $oconf foo --daemonize umount $oconf rmdir $oconf Excerpts from Nachi Ueno's message of 2014-05-01 10:15:26 -0700: > Hi Robert > > Thank you for your suggestion. > so your suggestion is let OpenVPN process download key to memory > directly from Babican? > > 2014-05-01 9:42 GMT-07:00 Clark, Robert Graham <robert.cl...@hp.com>: > > Excuse me interrupting but couldn't you treat the key as largely > > ephemeral, pull it down from Barbican, start the OpenVPN process and > > then purge the key? It would of course still be resident in the memory > > of the OpenVPN process but should otherwise be protected against > > filesystem disk-residency issues. > > > > > >> -----Original Message----- > >> From: Nachi Ueno [mailto:na...@ntti3.com] > >> Sent: 01 May 2014 17:36 > >> To: OpenStack Development Mailing List (not for usage questions) > >> Subject: Re: [openstack-dev] [Neutron] SSL VPN Implemenatation > >> > >> Hi Jarret > >> > >> IMO, Zang point is the issue saving plain private key in the > > filesystem for > >> OpenVPN. > >> Isn't this same even if we use Barbican? > >> > >> > >> > >> > >> > >> 2014-05-01 2:56 GMT-07:00 Jarret Raim <jarret.r...@rackspace.com>: > >> > Zang mentioned that part of the issue is that the private key has to > >> > be stored in the OpenVPN config file. If the config files are > >> > generated and can be stored, then storing the whole config file in > >> > Barbican protects the private key (and any other settings) without > >> > having to try to deliver the key to the OpenVPN endpoint in some > > non- > >> standard way. > >> > > >> > > >> > Jarret > >> > > >> > On 4/30/14, 6:08 PM, "Nachi Ueno" <na...@ntti3.com> wrote: > >> > > >> >>> Jarret > >> >> > >> >>Thanks! > >> >>Currently, the config will be generated on demand by the agent. > >> >>What's merit storing entire config in the Barbican? > >> >> > >> >>> Kyle > >> >>Thanks! > >> >> > >> >>2014-04-30 7:05 GMT-07:00 Kyle Mestery > >> <mest...@noironetworks.com>: > >> >>> On Tue, Apr 29, 2014 at 6:11 PM, Nachi Ueno <na...@ntti3.com> > >> wrote: > >> >>>> Hi Clint > >> >>>> > >> >>>> Thank you for your suggestion. Your point get taken :) > >> >>>> > >> >>>>> Kyle > >> >>>> This is also a same discussion for LBaaS Can we discuss this in > >> >>>> advanced service meeting? > >> >>>> > >> >>> Yes! I think we should definitely discuss this in the advanced > >> >>> services meeting today. I've added it to the agenda [1]. > >> >>> > >> >>> Thanks, > >> >>> Kyle > >> >>> > >> >>> [1] > >> >>>https://wiki.openstack.org/wiki/Meetings/AdvancedServices#Agenda_f > >> or_ > >> >>>next > >> >>>_meeting > >> >>> > >> >>>>> Zang > >> >>>> Could you join the discussion? > >> >>>> > >> >>>> > >> >>>> > >> >>>> 2014-04-29 15:48 GMT-07:00 Clint Byrum <cl...@fewbar.com>: > >> >>>>> Excerpts from Nachi Ueno's message of 2014-04-29 10:58:53 -0700: > >> >>>>>> Hi Kyle > >> >>>>>> > >> >>>>>> 2014-04-29 10:52 GMT-07:00 Kyle Mestery > >> <mest...@noironetworks.com>: > >> >>>>>> > On Tue, Apr 29, 2014 at 12:42 PM, Nachi Ueno > >> <na...@ntti3.com> > >> >>>>>>wrote: > >> >>>>>> >> Hi Zang > >> >>>>>> >> > >> >>>>>> >> Thank you for your contribution on this! > >> >>>>>> >> The private key management is what I want to discuss in the > >> >>>>>>summit. > >> >>>>>> >> > >> >>>>>> > Has the idea of using Barbican been discussed before? There > > are > >> >>>>>>many > >> >>>>>> > reasons why using Barbican for this may be better than > >> >>>>>> > developing > >> >>>>>>key > >> >>>>>> > management ourselves. > >> >>>>>> > >> >>>>>> No, however I'm +1 for using Barbican. Let's discuss this in > >> >>>>>> certificate management topic in advanced service session. > >> >>>>>> > >> >>>>> > >> >>>>> Just a suggestion: Don't defer that until the summit. Sounds > > like > >> >>>>>you've already got some consensus, so you don't need the summit > >> >>>>>just to rubber stamp it. I suggest discussing as much as you can > >> >>>>>right now on the mailing list, and using the time at the summit > > to > >> >>>>>resolve any complicated issues including any "a or b" things > > that > >> >>>>>need crowd-sourced idea making. You can also use the summit time > >> >>>>>to communicate your requirements to the Barbican developers. > >> >>>>> > >> >>>>> Point is: just because you'll have face time, doesn't mean you > >> >>>>> should use it for what can be done via the mailing list. > >> >>>>> > >> >>>>> _______________________________________________ > >> >>>>> OpenStack-dev mailing list > >> >>>>> OpenStack-dev@lists.openstack.org > >> >>>>> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >> >>>> > >> >>>> _______________________________________________ > >> >>>> OpenStack-dev mailing list > >> >>>> OpenStack-dev@lists.openstack.org > >> >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >> >>> > >> >>> _______________________________________________ > >> >>> OpenStack-dev mailing list > >> >>> OpenStack-dev@lists.openstack.org > >> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >> >> > >> >>_______________________________________________ > >> >>OpenStack-dev mailing list > >> >>OpenStack-dev@lists.openstack.org > >> >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >> > > >> > _______________________________________________ > >> > OpenStack-dev mailing list > >> > OpenStack-dev@lists.openstack.org > >> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >> > > >> > >> _______________________________________________ > >> OpenStack-dev mailing list > >> OpenStack-dev@lists.openstack.org > >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > _______________________________________________ > > OpenStack-dev mailing list > > OpenStack-dev@lists.openstack.org > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
