Updated openstack/openstack

Project: openstack/barbican-specs  902ff00f27689838c8c87cabbc1f41aa9ea40b98

Add Crypto/HSM MKEK Rotation Support (Light)

Currently Barbican has no means to migrate secrets encrypted with a
crypto/HSM-style plugin to a new master key encryption key (MKEK) and
its associated wrapped project KEKs. This blueprint proposes adding a
new Barbican service process that supports completing the rotation
process by re-wrapping the project KEKs with the new MKEK.

Note that unlike the similarly-named blueprint at
https://blueprints.launchpad.net/barbican/+spec/add-crypto-mkek-rotation-support,
this blueprint does *not* call for re-encrypting secrets and is
therefore this blueprint is a 'lightweight' alternative to that
blueprint.

Similar to the other blueprint, this process would be started after
deployers, out of band: (1) generate new MKEK and HMAC signing keys
with a binding to new labels, and then (2) replicate these keys to
other HSMs that may be in the high availability (HA) group, and then
(3) update Barbican's config file to reference these new labels, and
finally (4) restart the Barbican nodes. The proposed process would
then re-wrap the project KEKs with the new MKEKs, updating the
associated project KEK records with the new wrapped project KEKs.

Change-Id: Ic35dc0fbd98a38c560a2e9cf8bd0b01325914646

barbican-specs

@@ -1 +1 @@
-Subproject commit eb5fc837e5ac6e569eac654a268f04668dc6dc8c
+Subproject commit 902ff00f27689838c8c87cabbc1f41aa9ea40b98