Wednesday, 2021-02-10

« Tuesday, 2021-02-09 Index Thursday, 2021-02-11 »
*** gmann_afk is now known as gmann00:19
*** spatel has quit IRC00:53
*** spatel has joined #openstack-barbican03:04
*** jmlowe has quit IRC04:37
*** JohnnyRainbow has quit IRC04:37
*** jmlowe has joined #openstack-barbican04:42
*** JohnnyRainbow has joined #openstack-barbican04:42
*** openstackstatus has quit IRC04:58
*** openstack has joined #openstack-barbican04:59
*** ChanServ sets mode: +o openstack04:59
*** spatel has quit IRC05:19
*** redrobot4 has joined #openstack-barbican05:34
*** redrobot has quit IRC05:37
*** redrobot4 is now known as redrobot05:37
openstackgerritAde Lee proposed openstack/barbican-tempest-plugin master: Initial patch to add barbican rbac tests  https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/77477106:15
*** tosky has joined #openstack-barbican09:12
noonedeadpunkhey everyone! I was wondering if it's possible to somehow switch between hsm stored keys? I guess that would require rotation of everything that is stored in barbican withing that HSM backend, right?11:33
noonedeadpunkSo you can't just switch to another slot (except taking key with you)11:33
*** raildo has joined #openstack-barbican11:57
*** raildo_ has joined #openstack-barbican12:37
*** raildo has quit IRC12:40
*** iurygregory has quit IRC12:51
*** raildo_ is now known as raildo12:52
*** raildo_ has joined #openstack-barbican13:06
*** raildo has quit IRC13:08
*** spatel has joined #openstack-barbican13:57
*** iurygregory has joined #openstack-barbican14:13
*** rajivmucheli has joined #openstack-barbican15:12
*** rajivmucheli has quit IRC15:54
redrobot                          noonedeadpunk right, for the MKEK and HMAC keys, you could use a different token (in a different slot) if your HSM provides a way to move the keys from one token to another.16:01
redrobotnoonedeadpunk otherwise you will need to rotate the MKEK and HMAC16:01
redrobotbecause all PKEKs that are stored in the DB have been encrypted with the MKEK and signed with the HMAC keys16:01
redrobotfor key rotation see `barbican-manage hsm rewrap_pkek` command: https://docs.openstack.org/barbican/latest/admin/barbican_manage.html16:04
redrobotalthough now that I think of it, I'm not sure it will work if the old keys are in a different slot as the new keys (because we need to decrypt and then re-encrypt)16:05
noonedeadpunkoh, but if I can export/import there is rotation command16:12
noonedeadpunkthat's really nice, because I was afrtaid there wasn't:)16:12
noonedeadpunkbut I'm wondering how old keys will be retrieved?16:12
noonedeadpunkI guess I need to create a new ones with new label?16:13
noonedeadpunkor old label is stored somewhere?16:13
redrobotnoonedeadpunk IIRC, the PKEK row in the db has the label that was used to encrypt it.  The label in conf is used for new encryptions.  So on a rotate, the db knows what the old label was and the conf points to the new label.16:21
noonedeadpunkaha, cool, thanks so much for the help!16:23
*** d34dh0r53 has quit IRC17:43
*** d34dh0r53 has joined #openstack-barbican17:45
*** raildo_ is now known as raildo18:10
*** spatel has quit IRC18:40
*** spatel has joined #openstack-barbican18:44
*** raildo has quit IRC19:10
*** raildo has joined #openstack-barbican19:11
*** raildo has quit IRC19:11
openstackgerritAde Lee proposed openstack/ansible-role-thales-hsm master: Add support for configuring load_sharing mode  https://review.opendev.org/c/openstack/ansible-role-thales-hsm/+/77501821:04
*** xek has joined #openstack-barbican21:06
*** xek has quit IRC22:02
*** spatel has quit IRC22:09
openstackgerritMerged openstack/barbican-tempest-plugin master: [goal] Keep barbican-tempest-plugin stable jobs to bionic  https://review.opendev.org/c/openstack/barbican-tempest-plugin/+/75618522:17
openstackgerritAde Lee proposed openstack/ansible-role-thales-hsm master: Add support for configuring load_sharing mode  https://review.opendev.org/c/openstack/ansible-role-thales-hsm/+/77501822:19
« Tuesday, 2021-02-09 Index Thursday, 2021-02-11 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!