| *** mhen_ is now known as mhen | 03:00 | |
| xek | #startmeeting barbican | 15:00 |
|---|---|---|
| opendevmeet | Meeting started Mon Feb 3 15:00:53 2025 UTC and is due to finish in 60 minutes. The chair is xek. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:00 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:00 |
| opendevmeet | The meeting name has been set to 'barbican' | 15:00 |
| xek | #topic Roll Call | 15:01 |
| rajiv | Heyy | 15:01 |
| xek | Courtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung mharley lpiwowar | 15:01 |
| xek | o/ | 15:01 |
| xek | As usual our agenda can be found here: | 15:01 |
| xek | #link https://etherpad.openstack.org/p/barbican-weekly-meeting | 15:01 |
| rajiv | hope dmendiza[m] would be joining ? | 15:02 |
| dmendiza[m] | 🙋 | 15:02 |
| rajiv | :) | 15:03 |
| xek | #topic Review Past Meeting Action Items | 15:03 |
| xek | #link https://meetings.opendev.org/meetings/barbican/2025/barbican.2025-01-27-15.08.html | 15:03 |
| xek | There were no action items | 15:03 |
| xek | #topic Liaison Updates | 15:03 |
| xek | #link https://releases.openstack.org/epoxy/schedule.html | 15:05 |
| xek | I see we have an Oslo feature freeze Feb 10 - Feb 14 | 15:05 |
| xek | which hat bitten us in the past, since castellan is in oslo | 15:06 |
| xek | #topic Open Discussion | 15:07 |
| rajiv | Hi Doug, i wanted your view on https://bugs.launchpad.net/barbican/+bug/2036506/comments/34 | 15:08 |
| dmendiza[m] | looking ... | 15:09 |
| dmendiza[m] | rajiv: looks like they fixed their docs? But yeah, it's either CKM_AES_CBC or CKM_AES_GCM | 15:11 |
| dmendiza[m] | GCM is preferred | 15:11 |
| rajiv | Thales docs were updated after several follow-ups | 15:12 |
| rajiv | i wanted to confirm here before proceeding with upgrades in production | 15:12 |
| rajiv | second, Default was CKM_AES_CBC_PAD, if i change to CKM_AES_KEY_WRAP_KWP, will old keys be impacted ? Old secrets can still be unwrapped using CKM_AES_CBC_PAD. New secrets will be wrapped using CKM_AES_KEY_WRAP_KWP. | 15:12 |
| rajiv | is the above correct ? | 15:13 |
| dmendiza[m] | I think so ... probably worth testing in a staging environment | 15:13 |
| rajiv | i dint have any issues in QA, also the patch was implement > HSM firmware was upgraded > the barbican.conf wasnt upgraded but all operations work well. | 15:14 |
| rajiv | Hence do i need to update the barbican.conf before or after upgrading the device firmware ? | 15:14 |
| dmendiza[m] | I would update the device firmware first | 15:16 |
| rajiv | okay, to confirm, rollout the patch > update device firmware > deploy updated barbican.conf | 15:17 |
| rajiv | apart enabling HSM device logging, is there a way to check the current key mechanisms used by barbican currently ? | 15:20 |
| dmendiza[m] | Barbican will use whatever is in the conf file for new secrets | 15:21 |
| dmendiza[m] | and the metadata from the secret for existing secrets | 15:21 |
| dmendiza[m] | I'm not sure we have any logging in any of the methods though. | 15:21 |
| dmendiza[m] | Could be a good patch to contribute to enable debugging, rajiv | 15:21 |
| rajiv | cool, noted :) do i need to raise a document request for CKM_AES_CBC or CKM_AES_GCM updated in docu ? | 15:22 |
| rajiv | lastly, The only point to remember is CKM_AES_CBC and CKM_AES_CBC_PAD must not be used as wrapping mechanism as Luna HSM do not allow them to use as wrapping mechanism in FIPS mode and Barbican don’t support CKM_AES_GCM for wrapping. We have latest release firmware 7.8.7 and both CKM_AES_CBC and CKM_AES_GCM are supported for Encryption/Decryption So I don’t think so both of them will be deprecated in FIPS mode for encryption/decryption. | 15:23 |
| dmendiza[m] | Yeah, that sounds right. | 15:25 |
| rajiv | then the below barbican.conf should be good right ? | 15:25 |
| rajiv | encryption_mechanism = CKM_AES_GCM hmac_key_type = CKK_GENERIC_SECRET hmac_keygen_mechanism = CKM_GENERIC_SECRET_KEY_GEN hmac_mechanism = CKM_SHA256_HMAC key_wrap_mechanism = CKM_AES_KEY_WRAP_KWP aes_gcm_generate_iv = True | 15:25 |
| dmendiza[m] | lgtm | 15:26 |
| rajiv | aes_gcm_generate_iv. should be True, right ? | 15:27 |
| dmendiza[m] | I'm not sure ... I was looking over my notes, and I've tested it with aes_gcm_generate_iv=False | 15:29 |
| dmendiza[m] | What that does is let the HSM auto-generate the IV | 15:30 |
| dmendiza[m] | when set to True it is Barbican that pre-generates the IV | 15:30 |
| rajiv | okay, based on the docu : | 15:30 |
| rajiv | # Generate IVs for CKM_AES_GCM mechanism. (boolean value) # Deprecated group/name - [p11_crypto_plugin]/generate_iv aes_gcm_generate_iv=True | 15:30 |
| rajiv | have we confirm kmip support be deprecated ? we are implementing https://github.com/sapcc/PyKMIP/blob/master/kmip/services/server/barbican.py | 15:35 |
| dmendiza[m] | It's untested, and probably won't work | 15:38 |
| dmendiza[m] | so yeah, not currently supported by the core team | 15:38 |
| rajiv | thanks for answers :) | 15:39 |
| xek | Great :) Let's check the bug list... | 15:40 |
| xek | #topic Bug Review | 15:40 |
| xek | There were no new bugs reported since our last meeting | 15:41 |
| xek | That's it for today! See y'all next week! | 15:41 |
| xek | #endmeeting | 15:41 |
| opendevmeet | Meeting ended Mon Feb 3 15:41:40 2025 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:41 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/barbican/2025/barbican.2025-02-03-15.00.html | 15:41 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/barbican/2025/barbican.2025-02-03-15.00.txt | 15:41 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/barbican/2025/barbican.2025-02-03-15.00.log.html | 15:41 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!