OpenStack Barbican Charm

(Tracking) HSMs for Barbican

Bug #1615211 reported by Alex Kavanagh on 2016-08-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Barbican Charm	Triaged	Wishlist	Unassigned

Bug Description

The HSM’s that the Barbican team are aware of are:

- Dogtag (fedora project): http://pki.fedoraproject.org/wiki/PKI_Main_Page
- Safenet by Gemalto https://safenet.gemalto.com/data-encryption/hardware-security-modules-hsms/safenet-network-hsm/
- nSheild by Thales (via a KMIP interface?)
- Also utimaco have been doing some integration work.

And that’s pretty much it. The Safenet is the device that all the PKCS#11 work has been done by.

Dogtag is an app that can run on a machine, and so it’s really an HSM; however, they do say it’s been hardened.
Safenet and nSheild are both HSMs; there are USB, PCIe and Network versions of their products.

Barbican also has recently gained KMIP support — this is a network protocol that provides most of the features of PKCS#11 (which is a library specification).

Resource links:

- https://safenet.gemalto.com/data-encryption/hardware-security-modules-hsms/usb-hsm/
- http://pki.fedoraproject.org/wiki/PKI_Main_Page
- https://en.wikipedia.org/wiki/Key_Management_Interoperability_Protocol
- https://github.com/OpenKMIP/PyKMIP — KMIP server (for testing)
- https://www.thales-esecurity.com/products-and-services/products-and-services/hardware-security-modules/general-purpose-hsms/nshield-connect
- https://hsm.utimaco.com/

See original description

Revision history for this message

Alex Kavanagh (ajkavanagh) wrote on 2016-08-20:

Utimaco doing some integration work:

From: Praktikant HSM <email address hidden>
To: "<email address hidden>" <email address hidden>
Thread-Topic: Barbican: Secure Setup & HSM-plugin
Thread-Index: AdH0mCnWx551uMSwSpSTrernHO3+eg==
Date: Fri, 12 Aug 2016 12:51:22 +0000
List-Id: "OpenStack Development Mailing List \(not for usage questions\)"
<openstack-dev.lists.openstack.org>
List-Unsubscribe: <http://lists.openstack.org/cgi-bin/mailman/options/openstack-dev>,
<mailto:<email address hidden>?subject=unsubscribe>
List-Archive: <http://lists.openstack.org/pipermail/openstack-dev>

Hi all,

As a member of Utimaco's pre-sales team I am currently testing an integration of Barbican with one of our HSMs.

We were able to generate MKEKs and HMAC keys on the HSM with the 'pkcs11-key-generation' as well as 'barbican-manage hsm' commands. However, it is not fully clear to us how to use these keys to encrypt or sign data.

Additionally, we would appreciate further information concerning the secure setup of Barbican with an HSM-plugin.

Thank you in advance for your support.

Best regards,

Manuel Roth

-------------------------------
System Engineering HSM

Utimaco IS GmbH
Germanusstr. 4
52080 Aachen
Germany

www.utimaco.com

description:

updated

Alex Kavanagh (ajkavanagh) on 2016-12-09

Changed in charm-barbican:
importance:	Undecided → Wishlist

James Page (james-page) on 2016-12-12

Changed in charm-barbican:
status:	New → Triaged

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.