On 1/16/17, 3:06 PM, "Ian Cordasco" <sigmaviru...@gmail.com> wrote:
>-----Original Message----- >From: Dave McCowan (dmccowan) <dmcco...@cisco.com> >Reply: OpenStack Development Mailing List (not for usage questions) ><openstack-dev@lists.openstack.org> >Date: January 16, 2017 at 13:03:41 >To: OpenStack Development Mailing List (not for usage questions) ><openstack-dev@lists.openstack.org> >Subject: Re: [openstack-dev] [all] [barbican] [security] Why are >projects trying to avoid Barbican, still? >> Yep. Barbican supports four backend secret stores. [1] >> >> The first (Simple Crypto) is easy to deploy, but not extraordinarily >> secure, since the secrets are encrypted using a static key defined in >>the >> barbican.conf file. >> >> The second and third (PKCS#11 and KMIP) are secure, but require an HSM >>as >> a hardware base to encrypt and/or store the secrets. >> The fourth (Dogtag) is secure, but requires a deployment of Dogtag to >> encrypt and store the secrets. >> >> We do not currently have a secret store that is both highly secure and >> easy to deploy/manage. >> >> We, the Barbican community, are very open to any ideas, blueprints, or >> patches on how to achieve this. >> In any of the homegrown per-project secret stores, has a solution been >> developed that solves both of these? >> >> >> [1] >> >>http://docs.openstack.org/project-install-guide/key-manager/draft/barbica >>n- >> backend.html > >So there seems to be a consensus that Vault is a good easy and secure >solution to deploy. Can Barbican use that as a backend secret store? Adding a new secret store plugin for Vault would be a welcome addition. We have documentation in our repo on how to write a new plugin. [1] I can schedule some time at the PTG to plan for this in Pike if there are interested developers. [1] https://github.com/openstack/barbican/blob/master/doc/source/plugin/secret_ store.rst __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
