diff --git a/docker/services/barbican-api.yaml b/docker/services/barbican-api.yaml index 9fba31d455..1981d26b40 100644 --- a/docker/services/barbican-api.yaml +++ b/docker/services/barbican-api.yaml @@ -95,6 +95,10 @@ parameters: description: Cryptoki Mechanism used to generate Master HMAC Key type: string default: 'CKM_AES_KEY_GEN' + BarbicanPkcs11AlwaysSetCkaSensitive: + description: Always set CKA_SENSITIVE=CK_TRUE + type: boolean + default: true ThalesHSMNetworkName: description: The network that the HSM is listening on. type: string diff --git a/environments/barbican-backend-pkcs11-atos.yaml b/environments/barbican-backend-pkcs11-atos.yaml index d576380a50..d3b21e0fee 100644 --- a/environments/barbican-backend-pkcs11-atos.yaml +++ b/environments/barbican-backend-pkcs11-atos.yaml @@ -17,6 +17,7 @@ parameter_defaults: BarbicanPkcs11CryptoHMACLabel: 'barbican_hmac_0' BarbicanPkcs11CryptoATOSEnabled: true BarbicanPkcs11CryptoEnabled: true + BarbicanPkcs11AlwaysSetCkaSensitive: false ATOSVars: atos_client_working_dir: /tmp/atos_client_install # atos_client_iso_location: diff --git a/environments/barbican-backend-pkcs11-thales.yaml b/environments/barbican-backend-pkcs11-thales.yaml index 7ee30c812d..f0bab187dc 100644 --- a/environments/barbican-backend-pkcs11-thales.yaml +++ b/environments/barbican-backend-pkcs11-thales.yaml @@ -18,6 +18,7 @@ parameter_defaults: BarbicanPkcs11CryptoHMACLabel: 'barbican_hmac_0' BarbicanPkcs11CryptoThalesEnabled: true BarbicanPkcs11CryptoEnabled: true + BarbicanPkcs11AlwaysSetCkaSensitive: false ThalesVars: thales_client_working_dir: /tmp/thales_client_install # thales_client_tarball_location: URI where the CipherTools tarball can be downloaded. diff --git a/environments/barbican-backend-pkcs11.yaml b/environments/barbican-backend-pkcs11.yaml index 4767de2bb7..5d9f647776 100644 --- a/environments/barbican-backend-pkcs11.yaml +++ b/environments/barbican-backend-pkcs11.yaml @@ -11,7 +11,8 @@ parameter_defaults: # BarbicanPkcs11CryptoHMACLabel: Label for the HMAC key # BarbicanPkcs11CryptoSlotId: Slot Id for the HSM # BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin - BarbicanPkcs11CryptoEnabled: true + BarbicanPkcs11CryptoEnabled: true + BarbicanPkcs11AlwaysSetCkaSensitive: true resource_registry: OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml diff --git a/puppet/services/barbican-backend-pkcs11-crypto.yaml b/puppet/services/barbican-backend-pkcs11-crypto.yaml index 1857ce8164..7e0cad26d8 100644 --- a/puppet/services/barbican-backend-pkcs11-crypto.yaml +++ b/puppet/services/barbican-backend-pkcs11-crypto.yaml @@ -72,6 +72,10 @@ parameters: description: Generate IVs for CKM_AES_GCM encryption mechanism type: boolean default: true + BarbicanPkcs11AlwaysSetCkaSensitive: + description: Always set CKA_SENSITIVE=CK_TRUE + type: boolean + default: true BarbicanPkcs11CryptoGlobalDefault: description: Whether this plugin is the global default plugin type: boolean @@ -93,4 +97,5 @@ outputs: barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType} barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism} barbican::plugins::p11_crypto::p11_crypto_plugin_aes_gcm_generate_iv: {get_param: BarbicanPkcs11CryptoAESGCMGenerateIV} + barbican::plugins::p11_crypto::p11_crypto_plugin_always_set_cka_sensitive: {get_param: BarbicanPkcs11AlwaysSetCkaSensitive} barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault} diff --git a/releasenotes/notes/added-new-barbican-option-always-set-cka-sensitive-7a9dc31290899cac.yaml b/releasenotes/notes/added-new-barbican-option-always-set-cka-sensitive-7a9dc31290899cac.yaml new file mode 100644 index 0000000000..f464a9dbf1 --- /dev/null +++ b/releasenotes/notes/added-new-barbican-option-always-set-cka-sensitive-7a9dc31290899cac.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Added a new Barbican option `BarbicanPkcs11AlwaysSetCkaSensitive`. The + default value is `true`.