Hello Asha, So the last step you have is retrieving a decrypted secret from Barbican. Barbican indeed stores the secret internally encrypted using an internal KEK. When it is retrieved however, it is first decrypted by Barbican and then returned the client decrypted.
Beyond TLS to protect this information back to the client, there is also a transport key feature that has not yet been fully supported via the client library, that allows the client to select a session key that can be used to encrypt the secret between the client and Barbican. Thanks, John From: Asha Seshagiri <asha.seshag...@gmail.com<mailto:asha.seshag...@gmail.com>> Date: Friday, April 17, 2015 at 1:02 PM To: John Wood <john.w...@rackspace.com<mailto:john.w...@rackspace.com>> Cc: openstack-dev <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>>, "Reller, Nathan S." <nathan.rel...@jhuapl.edu<mailto:nathan.rel...@jhuapl.edu>>, Douglas Mendizabal <douglas.mendiza...@rackspace.com<mailto:douglas.mendiza...@rackspace.com>>, Paul Kehrer <paul.keh...@rackspace.com<mailto:paul.keh...@rackspace.com>>, Adam Harwell <adam.harw...@rackspace.com<mailto:adam.harw...@rackspace.com>>, Alexis Lee <alex...@hp.com<mailto:alex...@hp.com>> Subject: Re: Barbican : What is the difference between secret and order resource Hi All, I would like to know if the keys generated by Barbican through the order resource are encrypted using KEKS and then stored in the secret object or is it stored in unencypted format. Any help would be highly appreciated. root@barbican:~# curl -H 'Accept: application/json' -H 'X-Project-Id:12345' http ://localhost:9311/v1/orders Please find the command and response below : {"total": 3, "orders": [{"status": "ACTIVE", "secret_ref": "http://localhost:9311/v1/secrets/b3709da7-4691-40d6-af9a-1ae23772a7b2";, "updated": "2015-03-13T22:27:48.866683", "meta": {"name": "secretname2", "algorithm": "aes", "payload_content_type": "application/octet-stream", "mode": "cbc", "bit_length": 256, "expiration": null}, "created": "2015-03-13T22:27:48.844860", "type": "key", "order_ref": "http://localhost:9311/v1/orders/5a4844ca-47a9-4bd7-ae56-fb84655f48d9"},.... root@barbican:~# curl -H 'Accept: application/json' -H 'X-Project-Id:12345' http://localhost:9311/v1/secrets/b3709da7-4691-40d6-af9a-1ae23772a7b2 {"status": "ACTIVE", "secret_type": "opaque", "updated": "2015-03-13T22:27:48.863403", "name": "secretname2", "algorithm": "aes", "created": "2015-03-13T22:27:48.860600", "secret_ref": "http://localhost:9311/v1/secrets/b3709da7-4691-40d6-af9a-1ae23772a7b2";, "content_types": {"default": "application/octet-stream"}, "expiration": null, "bit_length": 256, "mode": "cbc"} root@barbican:~# curl -H 'Accept:application/octet-stream' -H 'X-Project-Id:12345' http://localhost:9311/v1/secrets/b3709da7-4691-40d6-af9a-1ae23772a7b2 ▒▒R▒v▒▒▒W▒4▒A?Md▒L[▒K4A▒▒bx▒▒▒ - > would like to know if this response is encyprted by barbican using KEKS or it is unencypted format whose content type is application/octet-stream Thanks and Regards, Asha Seshagiri On Fri, Apr 17, 2015 at 11:30 AM, Asha Seshagiri <asha.seshag...@gmail.com<mailto:asha.seshag...@gmail.com>> wrote: Thanks a lot John for your response. I also thank everyone who has been responding to my queries if I have missed someone . There was some problem while configuring my email .I do not receive the email response directly from openstack Dev group.I would check the archive folder for that. I will have a look into it Once again , it's nice working and collaborating with the openstack Dev -group. Thanks and Regards, Asha Seshagiri jh Thanks and Regards, Asha Seshagiri On Thu, Apr 16, 2015 at 8:10 AM, John Wood <john.w...@rackspace.com<mailto:john.w...@rackspace.com>> wrote: Hello Asha, The /v1/secrets resource is used to upload, encrypt and store your secrets, and to decrypt and retrieve those secrets. Key encryption keys (KEKs) internal to Barbican are used to encrypt the secret. The /v1/orders resource is used when you want Barbican to generate secrets for you. When they are done they give you references to where the secrets are stored so you can retrieve them via the secrets resource above. Hope that helps! Thanks, John From: Asha Seshagiri <asha.seshag...@gmail.com<mailto:asha.seshag...@gmail.com>> Date: Thursday, April 16, 2015 at 1:23 AM To: openstack-dev <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Cc: John Wood <john.w...@rackspace.com<mailto:john.w...@rackspace.com>>, "Reller, Nathan S." <nathan.rel...@jhuapl.edu<mailto:nathan.rel...@jhuapl.edu>>, Douglas Mendizabal <douglas.mendiza...@rackspace.com<mailto:douglas.mendiza...@rackspace.com>>, Paul Kehrer <paul.keh...@rackspace.com<mailto:paul.keh...@rackspace.com>>, Adam Harwell <adam.harw...@rackspace.com<mailto:adam.harw...@rackspace.com>>, Alexis Lee <alex...@hp.com<mailto:alex...@hp.com>> Subject: Barbican : What is the difference between secret and order resource Hi All , What is the difference between secret and the order resource ? Where is the key stored that is used for encrypting the payload in the secret resource and how do we access it. According to my understanding , Storing/Posting the secret means we are encrypting the actual information(payload) using the key generated internally by the barbican based on the type mentioned in the secret type. Geting the secret means we are decryprting the information and geting the actual information. Posting the order refers to the generation of the actual keys by the barbican and encyrpting those keys based on the algorithm and the internal key generated by barbican. This encrypted key is referred through the secret reference and the whole meta data is referred through a order reference. Please correct me if I am wrong. Any help would be highly appreciated. -- Thanks and Regards, Asha Seshagiri -- Thanks and Regards, Asha Seshagiri -- Thanks and Regards, Asha Seshagiri
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
