openstack
/
barbican-specs
Code Issues Proposed changes

Merge "Add Crypto/HSM MKEK Rotation Support (Light)"

This commit is contained in:
Jenkins 2015-06-10 14:03:24 +00:00 committed by Gerrit Code Review
parent eb5fc837e5 acf8737751
commit 902ff00f27
1 changed files with 277 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

277
specs/liberty/add-crypto-mkek-rotation-support-lightweight.rst Normal file
View File

@ -0,0 +1,277 @@
..
This work is licensed under a Creative Commons Attribution 3.0 Unported
License.
http://creativecommons.org/licenses/by/3.0/legalcode
================================================================
Add Crypto/HSM MKEK Rotation and Migration Support (Lightweight)
================================================================
Include the URL of your launchpad blueprint:
https://blueprints.launchpad.net/barbican/+spec/add-crypto-mkek-rotation-support-lightweight
Currently Barbican has no means to migrate secrets encrypted with a
crypto/HSM-style plugin to a new master key encryption key (MKEK) and its
associated wrapped project KEKs. This blueprint proposes adding a new Barbican
utility that supports completing the rotation process by rewrapping the project
KEKs with the new MKEK. Note that unlike the similarly-named blueprint at [1],
this blueprint does *not* call for re-encrypting secrets and is therefore a
'lightweight' alternative to that blueprint.
Comparing the two approaches, this lightweight approach just rotates
the MEKs and rewraps the project KEKs, leaving each secret's encrypted data
unchanged. The other blueprint rotates the MKEKs, project KEKs and the
encrypted secret information.
Thus this blueprint has a less thorough rotation process for secrets which
could increase the chances of decrypting the secret's encrypted data. The
likelihood of such an attack is expected to be small however. After all, MKEKs
are infrequently rotated due to their low probability of being guessed or
compromised. This blueprint's less thorough approach is expected to be less
process intensive and execute faster when there are many secrets stored in the
database.
Similar to the other blueprint, this utility would be started after deployers,
out of band:
1. generate new MKEK and HMAC signing keys with a binding to new labels, and
then
2. Replicate these keys to other HSMs that may be in the high availability (HA)
group, and then
3. Update Barbican's config file to reference these new labels, and finally
4. Restart the Barbican nodes.
The proposed utility would then rewrap the project KEKs with the new MKEKs,
updating the associated project KEK records with the new wrapped project KEKs.
Note that only HSM/crypto-style plugins rotations are proposed for this
blueprint.
Problem Description
===================
When a secret is stored in Barbican using the crypto-style plugin, a
`KEKDatum` entity (from `barbican.model.models`) is retrieved for the secret's
project. If no such entities are found for this project, then the following
steps occur:
1. A new `KEKDatum` entity is created for the project and the specific crypto-
style plugin with status of `ACTIVE`. The `ACTIVE` status indicates that
this entity should be used for secret encryptions from then on.
2. The `bind_kek_metadata()` method is invoked on the crypto plugin. The plugin
then creates a project-level KEK that will be used to encrypt new secrets
for that project. For the PKCS11 HSM plugin, this is the project KEK that is
wrapped/encrypted by the MKEK.
3. Information about this project-level KEK is then added to `plugin_meta`
attribute of the new `KEKDatum` entity.
4. When a secret is finally stored, it has a `Secret` entity created for it to
hold metadata, and also an associated `EncryptedDatum` entity that holds
both the encrypted cypher text for the secret, and a reference to the
project-level `KEKDatum` record.
5. Thereafter, new secrets that need to be encrypted for this same project
will used this `KEKDatum` entity, with no further attempts made to generate
a new entity.
Hence the `KEKDatum` entity is associated with project-level KEKs, which in
turn are associated with a single MKEK in the HSM. As rotation involves
creating a new MKEK (but not the project KEKs for this lightweight version),
the `KEKDatum` entity needs to be updated per project to rewrap/encrypt the
project KEK it contains.
Unlike the more stringent key rotation blueprint, no other steps are needed.
The secrets, there UUIDs and their associated encrypted data, do not need to
change at all, which should speed the overall migration process.
A requirement is that this utility be resilient, allowing for the utility to
be re-run if it fails midway.
This blueprint details an approach to rewrap existing project KEKs with a
new MKEK.
Proposed Change
===============
This blueprint proposes the following steps be taken to complete the KEK
rotation and migration effort:
1. Out of band to Barbican (so by deployers), new MKEK and HMAC keys are
created in the HSM, with new unique labels. For high availability
configurations such keys must be replicated across all HSMs in the cluster.
2. For each API and worker node in the network, update their
`/etc/barbican/barbican-api.conf` files' `mkek_label` and `hmac_label`
attributes with the new unique labels generated above. Note that once
Barbican is restarted, secrets added to new project-IDs will start to use
the new MKEK to wrap their new project KEKs. Existing secrets will still
utilize the old MKEK though hence the need for the new utility.
3. Restart the API and worker nodes. Barbican should be running normally at
this point, with the following utility-based steps occurring while Barbican
operates.
4. Via a new utility proposed in this blueprint, query for all `KEKDatum`
entities for a specified crypto-style plugin class
(e.g. `barbican.plugin.crypto.simple_crypto.SimpleCryptoPlugin`). These
wrapped-project KEKs need to be rewrapped with the new MKEK.
5. For each `KEKDatum` entity, invoke a new method on the crypto-style
plugin contract (defined in `barbican.plugin.crypto.crypto.py`) called
'rewrap_project_kek()', which takes the entity as input and updates it with
the rewrapped project KEK. The plugin would need to load the wrapped
project KEK into the HSM, decrypt it with the old MKEK, encrypt it with the
new MKEK, and then return the new wrapped project KEK (but still containing
the original project KEK).
6. The `KEKDatum` entity above would then be updated with the new wrapped
project KEK information. Since this is an in-place update, the secrets
associated with this entity do not have to be updated at all, unlike [1].
7. Info log the UUID of the migrated `KEKDatum` entity to produce a record of
the migration.
The proposed utility would be implemented as a Python `barbican.cmd` script
and added as a `pbr` entry point in the `setup.cfg` file, and hence available
as a callable command once Barbican is deployed.
To preserve data integrity steps 5 and 6 should be performed in a database
transaction.
Alternatives
------------
See the more heavy-weight alternative approach to key rotation at [1].
Data model impact
-----------------
No data model or repository changes are needed for the proposed solution. Data
migrations will be required as detailed in the Proposed Change section above.
REST API impact
---------------
None.
Security impact
---------------
The proposed solution completes necessary key rotation processes by rewrapping
project KEKs used to encrypt secrets. There are improbable but possible data
loss risks with the proposed approach however, since project KEKs encrypted
with old MKEKs are replaced with these same project KEKs encrypted with the new
MKEKs. If the database update transaction fails and corrupts this record (very
unlikely with ACID compliant databases, but possible), decryption would fail
for all secrets derived from the failed project KEK. However, since these
wrapped project KEKs do not change often (on the order of the MKEK rotation
schedule) recovery from database backups is very likely, thus mitigating this
risk.
Also, if the MKEK is compromised *and* if the attacker has access to the
database backups for secrets they can then decrypt them by first unwrapping
the project KEKs. Deployers should be mindful of this and securely store
backups.
Notifications & Audit Impact
----------------------------
A log of each `KEKDatum` entity migrated is produced by the proposed utility,
which could be used to prove to auditors that a migration/rotation occurred.
Other end user impact
---------------------
None.
Performance Impact
------------------
The proposed utility could take significant time to process if there are many
project-IDs to migrate, and thus it would represent a load on the HSM to
re-wrap the project KEKs, impacting normal Barbican operations. This utility
would be called quite infrequently however (maybe 1 to 4 times a year). Since
there are fewer project IDs/KEKs then secrets, this utility would be more
performant than the 'all secrets' migration proposed in [1].
Other deployer impact
---------------------
The proposed utility would be executed as a new executable command available
after deployment Barbican. The proposed changes would not require updates to
the configuration file schema, but would require updates to provide new
MKEK and HMAC key labels as detailed above.
Also, if the MKEK is compromised *and* if the attacker has access to the
database backups for secrets they can then decrypt them by first unwrapping
the project KEKs. Deployers should be mindful of this and securely store
backups.
Developer impact
----------------
None.
Implementation
==============
Assignee(s)
-----------
TBD
Work Items
----------
The proposed work items are:
1. Create a Python command script to implement the steps in the Proposed
Change section.
2. Add unit testing to cover the new code lines.
3. Add integration unit test that, using the default `simple_crypto.py` plugin
and an in-memory SQLite database, first creates a few known secrets with the
default MEK in the config file, and then modifies this MEK, and then
executes the migration script logic. The secrets should be decrypted and
verified for accuracy. The `KEKDatum` entities should have their
`updated_at` dates updated. The secrets should again be decrypted and
verified for accuracy, which proves the migration of all secrets to the
updated `KEKDatum` record occurred successfully.
4. Document the overall key rotation and migration process, including the usage
of the new migration utility.
Dependencies
============
None.
Testing
=======
No DevStack functional tests are expected at this time. Once an HSM gate job is
added, a future blueprint add tests will be added.
Documentation Impact
====================
The last work item details the required documentation.
References
==========
[1] https://blueprints.launchpad.net/barbican/+spec/add-crypto-mkek-rotation-support