Updated openstack/openstack
Project: openstack/barbican-specs 902ff00f27689838c8c87cabbc1f41aa9ea40b98 Add Crypto/HSM MKEK Rotation Support (Light) Currently Barbican has no means to migrate secrets encrypted with a crypto/HSM-style plugin to a new master key encryption key (MKEK) and its associated wrapped project KEKs. This blueprint proposes adding a new Barbican service process that supports completing the rotation process by re-wrapping the project KEKs with the new MKEK. Note that unlike the similarly-named blueprint at https://blueprints.launchpad.net/barbican/+spec/add-crypto-mkek-rotation-support, this blueprint does *not* call for re-encrypting secrets and is therefore this blueprint is a 'lightweight' alternative to that blueprint. Similar to the other blueprint, this process would be started after deployers, out of band: (1) generate new MKEK and HMAC signing keys with a binding to new labels, and then (2) replicate these keys to other HSMs that may be in the high availability (HA) group, and then (3) update Barbican's config file to reference these new labels, and finally (4) restart the Barbican nodes. The proposed process would then re-wrap the project KEKs with the new MKEKs, updating the associated project KEK records with the new wrapped project KEKs. Change-Id: Ic35dc0fbd98a38c560a2e9cf8bd0b01325914646
This commit is contained in:
parent
328f8ee0d5
commit
c14cf1f99d
|
@ -1 +1 @@
|
|||
Subproject commit eb5fc837e5ac6e569eac654a268f04668dc6dc8c
|
||||
Subproject commit 902ff00f27689838c8c87cabbc1f41aa9ea40b98
|
Loading…
Reference in New Issue