-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Standardize List of allowed Barbican Plugins #509
Comments
As we will at least support Barbican (see issue SovereignCloudStack/issues#528), we should also require or at least advice some configuration of Barbican. |
At first I have to note, that it is better to use encryption with a not-optimal backend than to not use encryption at all. There is the possibility to configure multiple plugins: https://docs.openstack.org/barbican/latest/configuration/plugin_backends.html The Plugins are described here: https://docs.openstack.org/barbican/latest/install/barbican-backend.html
We should evaluate the usage of the different Plugins through the CSPs. The problem is also the testing of this issue: We would need to audit the config file used for Barbican in the deployment to know exactly which plugin is used. But doing so would compromise the security of Barbican, as information from this file should not be available to anyone outside the few operators of the CSP. My conclusion is, that in regards of the lack of possible testing, we could only give some recommendation to CSPs. And we should only do so, if we find, that we want to exclude one of the plugins OR if we want to rather give advice on how to rise the protection level of the config files / controller nodes / wherever Barbican is executed. Footnotes |
First of all: very instructive and intriguing! Second: I know I'm probably rather obnoxious by now, but I'm still wondering how much of this is relevant to the user, and how much is only relevant to the operator. As you already pointed out, we can provide advice on how to configure Barbican (or, maybe more importantly, how not to do it), but I'm not sure if this is a standard then. Maybe it can be attached to some standard as a Supplement. At any rate, I would expect participating CSPs to gather around in the SCS community and exchange their best-practice knowledge. We can of course encourage them to codify this knowledge. |
I recall our k8s versioning policy stating something about a time window for applying critical patches for CVEs. I guess this is something that we can require: to not use plugins that are deficient. |
I created a hedgedoc to gather CSP answers for the usage of Barbican and their Plugins. |
From my point of view, Barbican serves at least up to two key roles in an OpenStack environment:
In both cases the user has to trust in the cryptographic capabilities and integrity of Barbican. The source (entropy) quality of randomness for secret generation and the protection mechanisms for the stored secret assets are crucial for this. The actual implementation varies greatly between the available Barbican plugins. For example, the Security Guide states2:
This means, simply offering Barbican (and the Cinder volume encryption) to the user in an OpenStack cloud does not tell the user anything about the underlying security quality in terms of key management, currently. We could attempt to change that in SCS with a standard establishing some guarantees about the Barbican configuration (if feasible) that a SCS customer can rely on. I think this could differentiate SCS from a generic OpenStack cloud with arbitrary Barbican configuration. Footnotes |
@markus-hentsch I don't disagree ;) What I wanted to achieve: instead of naming specific plugins, rather make an abstract set of requirements, which can then be used to evaluate the plugins and to derive whether they are compliant or not. |
Remarks about the cryptography implementation (Fernet) used by the "simple crypto" plugin:
Footnotes
|
Adding to #509 (comment) from above I had a look at the Fernet situation for Keystone in SovereignCloudStack/issues#568 (comment). Fernet uses 256 bits of key material in total because of a 128 bit signing key used in addition to the AES key. For Keystone this makes this situation benign because the encryption part is not protecting any highly sensitive information. For Barbican, this is a bit different I think. |
Until now, no CSP had worked on the list, I will add it again to the list of Team IaaS. |
From the fact, that until now, no CSP answered to the list of Barbican Plugins, I conclude that Barbican is rarely used. That means, we should assume that most CSPs will go from not using Barbican to using it. The testing would require a manual audit regardless of what we want to standardize here - We would at least need to inspect the config + where it resides. If it is not findable or does not contain the masterKEK everything is fine. |
I tried to start write a standard, but soon I thought about the fact, that most CSPs are not currently using Barbican at all. While we should aim towards a high level of security, maybe allowing to encrypt the user data at all, would be more of a benefit than having a standard that would require CSP to either have HSM(s) or to otherwise store the MasterKEK safely (e.g. in an SGX enclave or a TPM or something similar). The latter might put too much of a financial burden upon CSPs. Let us look at it closer:
We should discuss whether we need a standard here or if we maybe just want some advisory in the IAM/Security Meeting. |
Barbican is used to store secrets for encrypted resources in OpenStack. To store those secrets different plugins / backends can be used. For security issues, we should not allow all possible plugins.
E.g. there is the simply crypto plugin, that simply stores the Master KEK in the config file, and all other secrets in the database, which makes it easy to access all secrets.
Most likely testing this will be only possible through audits, as this is something configuration specific and/or deployment specific.
Definition of Done:
scs-xxxx-v1-slug.md
(only substituteslug
)status
,type
,track
setDraft
, file renamed:xxxx
replaced by document numberDraft
)The text was updated successfully, but these errors were encountered: