Barbican

Support for PKCS11 password/PIN in a separate file

Bug #2049521 reported by Josselin Mouette on 2024-01-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Barbican	In Progress	Undecided	Unassigned

Bug Description

We’re using barbican with a HSM and we would very much like the PKCS#11 PIN/password to access this HSM to remain in memory and to never land on disk.

To support that, it seems logical, as most software handling PKCS11 allows, to put it in a separate file instead of barbican.conf.

The attached patch allows this.

Revision history for this message

Josselin Mouette (jmouette) wrote on 2024-01-16:

0001-Add-password_file-setting-to-allow-setting-the-PKCS1.patch Edit (5.1 KiB, text/plain)

Revision history for this message

Grzegorz Grasza (xek) wrote on 2024-01-22:

An alternative might be to use environment variables, which should already be supported:

https://specs.openstack.org/openstack/oslo-specs/specs/rocky/config-from-environment.html

Note that I didn't test this, but if you do, and this would cover your use case, please leave a comment.

Revision history for this message

Josselin Mouette (jmouette) wrote on 2024-01-22:

Thanks a lot for your suggestion, which I didn’t know about. This makes sense on the paper; unfortunately we are also using kolla-ansible, which hardcodes all the docker configuration in a way that proposes very little customization. The only practical one we have is the extra_volumes passed to docker, making it easy to setup a file in a given volume.

Using environment variables would also make the setup a bit more contrived, since the secure file containing the password would have to be read before being put in the environment (otherwise you’re just moving the problem from barbican.conf to your docker configuration). But for setups other than kolla-ansible, I guess it could work.

OpenStack Infra (hudson-openstack) on 2024-01-22