Merge "Fix Barbican PKCS#11 description"

2021-05-19 15:30:36 +00:00 · 2021-05-19 15:30:36 +00:00 · 89af0e12b8
parent e6c4931f4c 8dbacc7b42
commit 89af0e12b8
1 changed files with 6 additions and 5 deletions
--- a/security-guide/source/secrets-management/barbican.rst
+++ b/security-guide/source/secrets-management/barbican.rst
@ -61,11 +61,12 @@ PKCS#11 crypto plugin
 The PKCS#11 crypto plugin can be used to interface with a Hardware
 Security Module (HSM) using the PKCS#11 protocol. Secrets are encrypted
 (and decrypted on retrieval) by a project specific Key Encryption Key
-(KEK) which resides in the HSM. Since a different KEK is used for each
-project, and since the KEKs are stored inside an HSM (instead of in
-plaintext in the configuration file) the PKCS#11 plugin is much more
-secure than the simple crypto plugin. It is the most popular back end
-amongst Barbican deployments.
+(KEK). The KEK is protected (encrypted) with a Master KEK (MKEK). The MKEK
+resides in the HSM along with a HMAC. Since the different KEK is used for
+each project, and since the KEKs are stored inside a database in an encrypted
+form (instead of a plaintext in the configuration file) the PKCS#11 plugin
+is much more secure than the simple crypto plugin. It is the most popular
+back end amongst Barbican deployments.

 Secret store plugins
 --------------------