Cryptographic Backend Plugin Development

Barbican currently defers cryptographic operations such as encryption and decryption to pluggable backends. This gives flexibility to operators of OpenStack clouds by allowing them to choose the right backend for their cloud.

While Barbican does provide a few implementations of cryptographic backend plugins, some OpenStack operators may require a custom backend that performs encryption, decryption and/or storage in a particular manner.

This guide describes how to develop a custom cryptographic backend plugin for use by Barbican.

`plugin` Module

The barbican.crypto.plugin module contains the classes needed to implement a custom plugin. These classes include the CryptoPluginBase abstract base class which custom plugins should inherit from, as well as several Data Transfer Object (DTO) classes used to transfer data between Barbican and the plugin.

Data Transfer Objects

The DTO classes are used to wrap data that is passed from Barbican to the plugin as well as data that is returned from the plugin back to Barbican. They provide a level of isolation between the plugins and Barbican's interal data models.

KEKMetaDTO

EncryptDTO

DecryptDTO

GenerateDTO

Plugin Base Class

Custom Barbican backends should implement the abstract base class CryptoPluginBase. Concrete implementations of this class should be exposed to barbican using stevedore mechanisms explained later in this guide.

CryptoPluginBase

1.7 KiB Raw Blame History

Cryptographic Backend Plugin Development

plugin Module

Data Transfer Objects

Plugin Base Class

1.7 KiB

Raw Blame History

`plugin` Module