Loading...

XML

Word

Printable

Type: Story
Resolution: Done
Priority: Undefined
Fix Version/s: rhos-18.0.9
Affects Version/s: None
Component/s: openstack-barbican
Labels:
None

Story Points:
2
Epic Link:
Enable Key Rotation using Simple Crypto plugin for Barbican
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Intelligence Requested:
Market:

Sprint:
DFG Security: Test Sprint 2, DFG Security: Test Sprint 3
sprint_count:
2

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Goal:

When using SimpleCrypto backend in Barbican, each Project is assigned a Project-specific Key-encryption Key (pKEK). This pKEK is created automatically the first time a user with a role on that specific project submits a request to barbican do do cryptographic work. This pKEK is used to encrypt all secrets owned by the project.
Currently there is no way to easily rotate these pKEKs

Acceptance Criteria:

A mechanism is provided to create a new pKEK for a specific project
A mechanism is provided to re-encrypt existing secrets using a specific (the latest) pKEK

mentioned on

Merge request - Fix sqlalchemy imports

Merge request - OSPRH-14359: Implement pKEK rotation for SimpleCrypto

Assignee:: Douglas Mendizabal

Reporter:: Douglas Mendizabal

Team:: rhos-dfg-security

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2025/02/27 5:38 PM

Updated:: 2025/05/15 2:56 PM

Resolved:: 2025/05/15 2:56 PM