Documented ATOS and Thales config for PKCS#11 plugin

Change-Id: I7e6a401993393f654c45865487d91b347cd972c0
This commit is contained in:
Ade Lee 2019-01-25 16:38:41 -05:00
parent 2c9a4b33bc
commit 5fb7bfec55

View File

@ -68,8 +68,13 @@ using the PKCS#11 protocol.
Secrets are encrypted (and decrypted on retrieval) by a project specific Secrets are encrypted (and decrypted on retrieval) by a project specific
Key Encryption Key (KEK), which resides in the HSM. Key Encryption Key (KEK), which resides in the HSM.
The configuration for this plugin in ``/etc/barbican/barbican.conf`` with settings shown for The configuration for this plugin in ``/etc/barbican/barbican.conf``.
use with a SafeNet HSM is as follows: Settings for some different HSMs are provided below:
Safenet
+++++++
The PKCS#11 plugin configuration looks like:
.. code-block:: ini .. code-block:: ini
@ -81,25 +86,187 @@ use with a SafeNet HSM is as follows:
[p11_crypto_plugin] [p11_crypto_plugin]
# Path to vendor PKCS11 library # Path to vendor PKCS11 library
library_path = '/usr/lib/libCryptoki2_64.so' library_path = '/usr/lib/libCryptoki2_64.so'
# Password to login to PKCS11 session # Password to login to PKCS11 session
login = 'mypassword' login = 'mypassword'
# Label to identify master KEK in the HSM (must not be the same as HMAC label) # Label to identify master KEK in the HSM (must not be the same as HMAC label)
mkek_label = 'an_mkek' mkek_label = 'an_mkek'
# Length in bytes of master KEK # Length in bytes of master KEK
mkek_length = 32 mkek_length = 32
# Label to identify HMAC key in the HSM (must not be the same as MKEK label) # Label to identify HMAC key in the HSM (must not be the same as MKEK label)
hmac_label = 'my_hmac_label' hmac_label = 'my_hmac_label'
# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1 # HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1
# slot_id = 1 # slot_id = 1
# Enable Read/Write session with the HSM? # Enable Read/Write session with the HSM?
# rw_session = True # rw_session = True
# Length of Project KEKs to create # Length of Project KEKs to create
# pkek_length = 32 # pkek_length = 32
# How long to cache unwrapped Project KEKs # How long to cache unwrapped Project KEKs
# pkek_cache_ttl = 900 # pkek_cache_ttl = 900
# Max number of items in pkek cache # Max number of items in pkek cache
# pkek_cache_limit = 100 # pkek_cache_limit = 100
Thales
++++++
For a Thales NetHSM, the plugin configuration looks like:
.. code-block:: ini
# ================= Secret Store Plugin ===================
[secretstore]
..
enabled_secretstore_plugins = store_crypto
[p11_crypto_plugin]
# Path to vendor PKCS11 library
library_path = '/opt/nfast/toolkits/pkcs11/libcknfast.so'
# Password to login to PKCS11 session
login = 'XXX'
# Label to identify master KEK in the HSM (must not be the same as HMAC label)
mkek_label = 'thales_mkek_0'
# Length in bytes of master KEK
mkek_length = 32
# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
hmac_label = 'thales_hmac_0'
# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1
# slot_id = 1
# Enable Read/Write session with the HSM?
# rw_session = True
# Length of Project KEKs to create
# pkek_length = 32
# How long to cache unwrapped Project KEKs
# pkek_cache_ttl = 900
# Max number of items in pkek cache
# pkek_cache_limit = 100
# Secret encryption mechanism (string value)
# Deprecated group/name - [p11_crypto_plugin]/algorithm
encryption_mechanism = CKM_AES_CBC
# HMAC Key Type (string value)
hmac_key_type=CKK_SHA256_HMAC
# HMAC Key Generation Mechanism (string value)
hmac_keygen_mechanism = CKM_NC_SHA256_HMAC_KEY_GEN
# Generate IVs for CKM_AES_GCM mechanism. (boolean value)
# Deprecated group/name - [p11_crypto_plugin]/generate_iv
aes_gcm_generate_iv=True
# Always set CKA_SENSITIVE=CK_TRUE including
# CKA_EXTRACTABLE=CK_TRUE keys.
# default true
always_set_cka_sensitive=false
The HMAC and MKEK keys can be generated as follows:
.. code-block:: ini
barbican-manage hsm gen_hmac \
--library-path /opt/nfast/toolkits/pkcs11/libcknfast.so \
--passphrase XXX --slot-id 1 --label thales_hmac_0 \
--key-type CKK_SHA256_HMAC \
--mechanism CKM_NC_SHA256_HMAC_KEY_GEN
.. code-block:: ini
barbican-manage hsm gen_mkek \
--library-path /opt/nfast/toolkits/pkcs11/libcknfast.so \
--passphrase XXX --slot-id 1 --label thales_mkek_0
ATOS Bull
+++++++++
For an ATOS Bull HSM, the plugin configuration looks like:
.. code-block:: ini
# ================= Secret Store Plugin ===================
[secretstore]
..
enabled_secretstore_plugins = store_crypto
[p11_crypto_plugin]
# Path to vendor PKCS11 library
library_path = '/usr/lib64/libnethsm.so'
# Password to login to PKCS11 session
login = 'XXX'
# Label to identify master KEK in the HSM (must not be the same as HMAC label)
mkek_label = 'atos_mkek_0'
# Length in bytes of master KEK
mkek_length = 32
# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
hmac_label = 'atos_hmac_0'
# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1
# slot_id = 1
# Enable Read/Write session with the HSM?
# rw_session = True
# Length of Project KEKs to create
# pkek_length = 32
# How long to cache unwrapped Project KEKs
# pkek_cache_ttl = 900
# Max number of items in pkek cache
# pkek_cache_limit = 100
# Secret encryption mechanism (string value)
# Deprecated group/name - [p11_crypto_plugin]/algorithm
encryption_mechanism = CKM_AES_CBC
# HMAC Key Type (string value)
hmac_key_type = CKK_GENERIC_SECRET
# HMAC Key Generation Mechanism (string value)
hmac_keygen_mechanism = CKM_GENERIC_SECRET_KEY_GEN
# Always set CKA_SENSITIVE=CK_TRUE including
# CKA_EXTRACTABLE=CK_TRUE keys.
# default true
always_set_cka_sensitive=false
The HMAC and MKEK keys can be generated as follows:
.. code-block:: ini
barbican-manage hsm gen_hmac --library-path /usr/lib64/libnethsm.so \
--passphrase XXX --slot-id 1 --label atos_hmac_0 \
--key-type CKK_GENERIC_SECRET \
--mechanism CKM_GENERIC_SECRET_KEY_GEN
.. code-block:: ini
barbican-manage hsm gen_mkek --library-path /usr/lib64/libnethsm.so \
--passphrase XXX --slot-id 1 --label atos_mkek_0
KMIP Plugin KMIP Plugin
----------- -----------