Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-14356

Enable Key Rotation using Simple Crypto plugin for Barbican

XMLWordPrintable

    • Enable Key Rotation using Simple Crypto plugin for Barbican
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • Proposed
    • Proposed
    • In Progress
    • Proposed
    • rhos-ops-platform-services-security
    • Proposed
    • 0% To Do, 0% In Progress, 100% Done

      Goal:

      • The Simple Crypto plugin is the default backend for Barbican.  It uses a singe Key-encryption key (KEK) defined in the conf file to encrypt data.
      • The goal of this epic is to provide a mechanism to rotate this key wile minimizing the impact to availability of the Barbican service.

      Acceptance Criteria:

      • A new KEK can be provided to encrypt new data while the old KEKs can still be used to decrypt existing data
      • Provide a mechanism to re-encrypt data with the new key so that the old key(s) can be retired and deleted from the conf file.

      Open questions:

      • The KEK in the conf file is only used to encrypt pKEKs.  We may also want to have a mechanism to rotate pKEKs.

              dmendiza Douglas Mendizabal
              dmendiza Douglas Mendizabal
              rhos-dfg-security
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: