openstack/security-doc
Code Issues Proposed changes

Merge "Fix Barbican PKCS#11 description"

Browse Source
This commit is contained in:
Zuul
2021-05-19 15:30:36 +00:00
committed by Gerrit Code Review
parent e6c4931f4c 8dbacc7b42
commit 89af0e12b8
1 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
security-guide/source/secrets-management/barbican.rst
View File

@@ -61,11 +61,12 @@ PKCS#11 crypto plugin
The PKCS#11 crypto plugin can be used to interface with a Hardware The PKCS#11 crypto plugin can be used to interface with a Hardware
Security Module (HSM) using the PKCS#11 protocol. Secrets are encrypted Security Module (HSM) using the PKCS#11 protocol. Secrets are encrypted
(and decrypted on retrieval) by a project specific Key Encryption Key (and decrypted on retrieval) by a project specific Key Encryption Key
(KEK) which resides in the HSM. Since a different KEK is used for each (KEK). The KEK is protected (encrypted) with a Master KEK (MKEK). The MKEK
project, and since the KEKs are stored inside an HSM (instead of in resides in the HSM along with a HMAC. Since the different KEK is used for
plaintext in the configuration file) the PKCS#11 plugin is much more each project, and since the KEKs are stored inside a database in an encrypted
secure than the simple crypto plugin. It is the most popular back end form (instead of a plaintext in the configuration file) the PKCS#11 plugin
amongst Barbican deployments. is much more secure than the simple crypto plugin. It is the most popular
back end amongst Barbican deployments.
Secret store plugins Secret store plugins
-------------------- --------------------