(Tracking) HSMs for Barbican

Bug #1615211 reported by Alex Kavanagh on 2016-08-20
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Barbican Charm

Bug Description

The HSM’s that the Barbican team are aware of are:

- Dogtag (fedora project): http://pki.fedoraproject.org/wiki/PKI_Main_Page
- Safenet by Gemalto https://safenet.gemalto.com/data-encryption/hardware-security-modules-hsms/safenet-network-hsm/
- nSheild by Thales (via a KMIP interface?)
- Also utimaco have been doing some integration work.

And that’s pretty much it. The Safenet is the device that all the PKCS#11 work has been done by.

Dogtag is an app that can run on a machine, and so it’s really an HSM; however, they do say it’s been hardened.
Safenet and nSheild are both HSMs; there are USB, PCIe and Network versions of their products.

Barbican also has recently gained KMIP support — this is a network protocol that provides most of the features of PKCS#11 (which is a library specification).

Resource links:

- https://safenet.gemalto.com/data-encryption/hardware-security-modules-hsms/usb-hsm/
- http://pki.fedoraproject.org/wiki/PKI_Main_Page
- https://en.wikipedia.org/wiki/Key_Management_Interoperability_Protocol
- https://github.com/OpenKMIP/PyKMIP — KMIP server (for testing)
- https://www.thales-esecurity.com/products-and-services/products-and-services/hardware-security-modules/general-purpose-hsms/nshield-connect
- https://hsm.utimaco.com/

Alex Kavanagh (ajkavanagh) wrote :

Utimaco doing some integration work:

From: Praktikant HSM <email address hidden>
To: "<email address hidden>" <email address hidden>
Thread-Topic: Barbican: Secure Setup & HSM-plugin
Thread-Index: AdH0mCnWx551uMSwSpSTrernHO3+eg==
Date: Fri, 12 Aug 2016 12:51:22 +0000
List-Id: "OpenStack Development Mailing List \(not for usage questions\)"
List-Unsubscribe: <http://lists.openstack.org/cgi-bin/mailman/options/openstack-dev>,
 <mailto:<email address hidden>?subject=unsubscribe>
List-Archive: <http://lists.openstack.org/pipermail/openstack-dev>

Hi all,

As a member of Utimaco's pre-sales team I am currently testing an integration of Barbican with one of our HSMs.

We were able to generate MKEKs and HMAC keys on the HSM with the 'pkcs11-key-generation' as well as 'barbican-manage hsm' commands. However, it is not fully clear to us how to use these keys to encrypt or sign data.

Additionally, we would appreciate further information concerning the secure setup of Barbican with an HSM-plugin.

Thank you in advance for your support.

Best regards,

Manuel Roth

System Engineering HSM

Utimaco IS GmbH
Germanusstr. 4
52080 Aachen


description: updated
Changed in charm-barbican:
importance: Undecided → Wishlist
James Page (james-page) on 2016-12-12
Changed in charm-barbican:
status: New → Triaged
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers