From e6c4931f4ca6a3d90a20c76cabca5f4693dc7205 Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Tue, 27 Apr 2021 15:41:40 +0300 Subject: [PATCH] Add Barbican vault store plugin description Barbican does support Vault plugin through Castellan for a while and it's worth mentioning on the page. Change-Id: I611a3472e2f00ab4feb6bf2a3ba1627a21fe5f62 --- .../source/secrets-management/barbican.rst | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/security-guide/source/secrets-management/barbican.rst b/security-guide/source/secrets-management/barbican.rst index bf424607..2271c837 100644 --- a/security-guide/source/secrets-management/barbican.rst +++ b/security-guide/source/secrets-management/barbican.rst @@ -71,8 +71,8 @@ Secret store plugins -------------------- Secret store plugins interface with secure storage systems to store the -secrets within those systems. There are two types of secret store -plugins: the KMIP plugin and the Dogtag plugin. +secrets within those systems. There are three types of secret store +plugins: the KMIP plugin, the Dogtag plugin, and the Vault plugin. KMIP plugin ----------- @@ -102,6 +102,20 @@ The KRA is a component of FreeIPA, therefore it is possible to configure the plugin with a FreeIPA server. More detailed instructions on how to set up Barbican with FreeIPA are provided `in the following blog post `_. +Vault plugin +------------ + +`Vault `_ is a secret storage developed by +Hashicorp for securely accessing secrets and other objects, such as API +keys, passwords, or certificates. Vault provides a unified interface to +any secret, while providing tight access control and recording a detailed +audit log. The enterprise version of Vault also allows to integrate with +HSM for auto-unseal, provide FIPS KeyStorage and entropy augmentation. +However, the downside of the Vault plugin is that it does not support +multitenancy, thus all secrets will be stored under the same +`Key/Value secret engine `_. +mountpoint. + Threat analysis ~~~~~~~~~~~~~~~