| *** mhen_ is now known as mhen | 01:12 | |
| rajiv | hi | 14:28 |
|---|---|---|
| rajiv | Hi, | 15:02 |
| xek | #startmeeting barbican | 15:03 |
| opendevmeet | Meeting started Mon Aug 12 15:03:55 2024 UTC and is due to finish in 60 minutes. The chair is xek. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:03 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:03 |
| opendevmeet | The meeting name has been set to 'barbican' | 15:03 |
| xek | #topic Roll Call | 15:04 |
| xek | Courtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung mharley lpiwowar | 15:04 |
| xek | o/ | 15:04 |
| d34dh0r53 | o/ | 15:04 |
| dmendiza[m] | 🙋♂️ | 15:04 |
| xek | As usual our agenda can be found here: | 15:04 |
| xek | #link https://etherpad.openstack.org/p/barbican-weekly-meeting | 15:04 |
| xek | Just the usual topics today | 15:04 |
| xek | #topic Review Past Meeting Action Items | 15:05 |
| xek | #link https://meetings.opendev.org/meetings/barbican/2024/barbican.2024-08-05-15.01.html | 15:05 |
| xek | There were none | 15:05 |
| xek | #topic Liaison Updates | 15:05 |
| xek | TC Nominations and PTL Nominations start in | 15:07 |
| xek | 2d 8h 37m | 15:08 |
| xek | #link https://governance.openstack.org/election/ | 15:08 |
| xek | That's all I had | 15:08 |
| rajiv | Hi, i have few questions, if there are no topics on the agenda. | 15:09 |
| xek | #topic Open Discussion | 15:09 |
| xek | rajivgo ahead :) | 15:09 |
| rajiv | Which table is updated with mkek and hmac keys ? | 15:09 |
| rajiv | i couldnt find the keys in kek_id or encrypted_data table | 15:10 |
| dmendiza[m] | Hi rajiv | 15:11 |
| dmendiza[m] | When using the PKCS#11 backend, you actually have two rounds of encryption | 15:13 |
| rajiv | Hey Doug, | 15:13 |
| xek | I would guess this will be in the secrets table? | 15:13 |
| dmendiza[m] | Barbican creates a PKEK, which stands for Project-specific Key Encryption Key | 15:14 |
| dmendiza[m] | The MKEK and HMAC keys are used to encrypt the PKEK, and are not used to encrypt secrets | 15:14 |
| dmendiza[m] | the Secrets themselves are encrypted using the PKEK that belongs to the Project in the context object | 15:14 |
| rajiv | the background is the hsm device went down | 15:15 |
| dmendiza[m] | The details should be stored in kek_meta_dto and kek_meta_extend, although I don't recall off the top of my head which table that is. | 15:15 |
| rajiv | when i tried to create a new key with same label i had errors | 15:16 |
| rajiv | hence i had to update all keys with new kek_id | 15:17 |
| rajiv | are these columns or tables ? kek_meta_dto and kek_meta_extend | 15:17 |
| dmendiza[m] | Hmmm.... by "create a new key" do you mean you have a different key than before? | 15:17 |
| rajiv | yes for both scenarios | 15:18 |
| dmendiza[m] | Updating the Key ID will not work if that's the case | 15:19 |
| dmendiza[m] | OK, so, unless you have a backup of the old key and are able to restore the old key to your HSM then I am afraid all your data is lost | 15:19 |
| rajiv | if a new key is created, whats the workflow wrt db ? | 15:19 |
| dmendiza[m] | Encryption and Decryption work with a specific key. If you encrypt something with key X and then try to decrypt with key Y, you will not be able to. | 15:19 |
| rajiv | yes, i learnt this the hard way | 15:19 |
| dmendiza[m] | The best way to move forward is to change the name of your new key | 15:20 |
| dmendiza[m] | and accept that data encrypted with the old key is now lost forever. :( | 15:20 |
| rajiv | very true, i was presuming updating the db with kek_id on the encryption_data table will help, hence i am asking for details. | 15:21 |
| dmendiza[m] | You may be able to trick barbican into using the new key if you updated the DB data, but ultimatley decryption will fail because the old key is not available. | 15:21 |
| dmendiza[m] | e.g. | 15:22 |
| rajiv | i created multiple keys on the partition but i see only which is configured but i dont see the new keys | 15:22 |
| rajiv | yes, thats my intent to take care if the keys are lost | 15:23 |
| dmendiza[m] | Managing the KEK in the HSM is outside of the scope of Barbican. You should be able to look at all the keys stored in the HSM using a tool provided by your vendor. | 15:24 |
| rajiv | okay, this query dint help "select * from kek_data where plugin_name='barbican.plugin.crypto.p11_crypto.P11CryptoPlugin';" | 15:25 |
| rajiv | if i get the id of the new keys in the kek_id table, i can play around with barbican-manage or api to help me | 15:25 |
| rajiv | the id from kek_id table is used in the encrypted_data table where the secrets are encrypted with, hence if i know how barbican fetches or creates the new keys on the db level, i can adapt my scripts accordingly. | 15:30 |
| rajiv | i also found CKR_INVALID_SIGNATURE in barbican logs if multiple keys are present on the same partition to which barbican is configured. | 15:31 |
| rajiv | lastly, has anyone played around with multiple barbican instances in 1 openstack installation ? i have requirement to support customer per barbican instance in 1 openstack installation | 15:32 |
| dmendiza[m] | Hmm... that is .... interesting. Barbican does provide tenant-separation, so having a whole new deployment for a single tenant seems like overkill | 15:32 |
| dmendiza[m] | I have no experience doing that. The tricky part might be configuring keystone to provide the correct URL in the endpoint list | 15:33 |
| dmendiza[m] | Also, I'm not sure how keystonemiddleware would prevent a valid tenant from using a barbican instance | 15:34 |
| dmendiza[m] | you might need to write your own middleware for that | 15:34 |
| rajiv | okay thanks | 15:34 |
| rajiv | so to conclude, how to find the table for in which the keys are stored ? | 15:35 |
| rajiv | i presume reviewing this https://review.opendev.org/c/openstack/barbican/+/923822 would take longer ? | 15:35 |
| rajiv | i looked into https://github.com/openstack/barbican/blob/stable/2023.2/barbican/plugin/crypto/pkcs11.py to understand the DB follow but had no luck, are there any other hints on where to search ? | 15:36 |
| dmendiza[m] | I think this is the DB model you're looking for: https://opendev.org/openstack/barbican/src/branch/master/barbican/model/models.py#L544 | 15:38 |
| rajiv | i looked into this already ;) as it pointed to kek_data table, this was the basis for my initial conversation | 15:40 |
| dmendiza[m] | Actual secrets are stored here: https://opendev.org/openstack/barbican/src/branch/master/barbican/model/models.py#L503 and should have a reference to the PKEK used | 15:40 |
| dmendiza[m] | I'm out on PTO the rest of the week, but remind me again next week and I will try to take a deeper look. | 15:46 |
| rajiv | okay sure | 15:47 |
| xek | ok, let's continue to the last topic :) | 15:48 |
| xek | #topic Bug Review | 15:48 |
| xek | There were no new bugs reported | 15:48 |
| xek | That's it for today | 15:49 |
| xek | See y'all next week! | 15:49 |
| xek | #endmeeting | 15:49 |
| opendevmeet | Meeting ended Mon Aug 12 15:49:09 2024 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:49 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/barbican/2024/barbican.2024-08-12-15.03.html | 15:49 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/barbican/2024/barbican.2024-08-12-15.03.txt | 15:49 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/barbican/2024/barbican.2024-08-12-15.03.log.html | 15:49 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!