*** mhen_ is now known as mhen | 02:40 | |
opendevreview | Merged openstack/python-barbicanclient master: Fixed typo in the release notes https://review.opendev.org/c/openstack/python-barbicanclient/+/876332 | 10:50 |
---|---|---|
opendevreview | Merged openstack/barbican master: Release notes for secret consumers, microversions and CVE fix https://review.opendev.org/c/openstack/barbican/+/876353 | 10:53 |
rajiv_ | Hi, | 11:54 |
dmendiza[m] | 🙋♂️ | 12:01 |
rajiv_ | helloo | 12:01 |
xek | startmeeting barbican | 12:02 |
xek | ===================== | 12:02 |
xek | * startmeeting barbican | 12:02 |
xek | ===================== | 12:02 |
xek | startmeeting barbican | 12:02 |
xek | ===================== | 12:02 |
xek | ops | 12:02 |
dmendiza[m] | 🙋♂️ | 12:02 |
xek | #startmeeting barbican | 12:02 |
opendevmeet | Meeting started Tue Mar 7 12:02:53 2023 UTC and is due to finish in 60 minutes. The chair is xek. Information about MeetBot at http://wiki.debian.org/MeetBot. | 12:02 |
opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 12:02 |
opendevmeet | The meeting name has been set to 'barbican' | 12:02 |
dmendiza[m] | 🙋♂️ | 12:03 |
Luzi | o/ | 12:03 |
xek | dmendiza, Luzi, o/ | 12:03 |
xek | #topic Roll Call | 12:04 |
xek | Courtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung | 12:04 |
xek | As usual our agenda can be found here: | 12:04 |
xek | #link https://etherpad.openstack.org/p/barbican-weekly-meeting | 12:04 |
xek | We have just the usual topics today | 12:05 |
xek | #topic Review Past Meeting Action Items | 12:05 |
xek | #link https://meetings.opendev.org/meetings/barbican/2023/barbican.2023-02-28-12.01.html | 12:06 |
xek | Look into why Zed release notes is broken https://docs.openstack.org/releasenotes/barbican/zed.html | 12:06 |
xek | mharley took a look at it last week | 12:06 |
xek | Turns out, we just didn't have any release notes for Zed | 12:06 |
xek | It was the same case for Antelope (for the barbican project) | 12:07 |
xek | So mharley ceated new reviews to add a few relevant release notes | 12:07 |
xek | They were merged today | 12:08 |
xek | #topic Liaison Updates | 12:08 |
xek | #link https://governance.openstack.org/election/ | 12:10 |
xek | TC Election and PTL Election end in 1d 11h 34m | 12:10 |
xek | Luzi, dmendiza, do you have any updates to add? | 12:11 |
Luzi | nothing from my side | 12:12 |
dmendiza[m] | Nothing here either | 12:12 |
xek | Ack, thanks! | 12:13 |
xek | Let's go to the next topic | 12:13 |
xek | #topic Open Discussion | 12:13 |
rajiv_ | hi, i have mailed you guys my query, sub : Query on Multiple backend Secret Order creation | 12:14 |
rajiv_ | did anyone get a chance to read the mail ? | 12:14 |
xek | rajiv_, I did, but I don't have any experience with this part of barbican | 12:15 |
dmendiza[m] | link to the ML? | 12:15 |
xek | dmendiza it was a private message, alee forwarded it to you afaik | 12:16 |
rajiv_ | i also created a ticket with Thales but they closed the ticket saying its an application issue, we enabled cklog on the HSM device but found nothing from barbican | 12:16 |
xek | "Query on Multiple backend Secret Order creation" | 12:16 |
rajiv_ | yes, Ade added you to the mail chain | 12:16 |
rajiv_ | yes | 12:16 |
* dmendiza[m] looks through the mountain of email | 12:17 | |
dmendiza[m] | rajiv_: I'd recommend sending it to the mailing list next time openstack-discuss@lists.openstack.org | 12:17 |
rajiv_ | ack, it was only 4 mails in the thread, including 2 follow-ups | 12:18 |
rajiv_ | long story short : my production barbican backend is using Thales A790, when we try to create an asymmetric secret order we get : | 12:18 |
rajiv_ | ERROR barbican.tasks.resources barbican.plugin.crypto.base.CryptoPluginUnsupportedOperation: Could not find an enabled crypto plugin backend that supports the requested operation: store or generate a secret of type ASYMMETRIC_KEY_GENERATION with algorithm rsa, bit length 1024, and mode None | 12:18 |
dmendiza[m] | > I think there was an option to select the secret store before creation ? or is this deprecated ? | 12:18 |
dmendiza[m] | There is an API to set the preferred secret store per-project | 12:19 |
rajiv_ | my last mail (today) shared the selection of store : https://review.opendev.org/c/openstack/barbican/+/341803/13/doc/source/api/reference/store_backends.rst#261 | 12:19 |
rajiv_ | is this selection allowed in prod as well ? it works fine. | 12:19 |
dmendiza[m] | #link https://docs.openstack.org/barbican/zed/api/reference/store_backends.html | 12:19 |
rajiv_ | i want to understand if there are any known side-effects, etc | 12:19 |
rajiv_ | dmendiza[m]: is this fine enabling secret store per project in prod ? are there any known issues ? | 12:22 |
dmendiza[m] | It's a fully supported feature | 12:22 |
dmendiza[m] | So, yes, you can use it in prod | 12:22 |
dmendiza[m] | > generate a secret of type ASYMMETRIC_KEY_GENERATION with algorithm rsa, bit length 1024, and mode None | 12:22 |
dmendiza[m] | try again with mode=CBC | 12:22 |
dmendiza[m] | oh whoops, never mind | 12:23 |
dmendiza[m] | don't do that | 12:23 |
* dmendiza[m] is still waiting for coffee to kick in | 12:23 | |
rajiv_ | thanks for your confirmation, would this be a workaround for the above error message or the actual functionality to proceed. | 12:23 |
rajiv_ | :) | 12:23 |
dmendiza[m] | > ASYMMETRIC_KEY_GENERATION | 12:23 |
dmendiza[m] | This has not been implemented for PKCS#11 (used for HSMs) | 12:23 |
dmendiza[m] | #link https://opendev.org/openstack/barbican/src/branch/master/barbican/plugin/crypto/p11_crypto.py#L193-L194 | 12:24 |
rajiv_ | ah ok, hence the above error message | 12:24 |
dmendiza[m] | Yeah, so if the user's project is set to use the HSM backend, then they won't be able to generate asymmetric keys | 12:25 |
dmendiza[m] | You'd have to set the backend to SimpleCrypto | 12:25 |
dmendiza[m] | or you can help us implement that part of PKCS#11 backend 😄 | 12:25 |
xek | dmendiza, thanks for taking a look at this :) | 12:26 |
rajiv_ | sure, asymmetric certs is deprecated. keys works fine | 12:26 |
rajiv_ | :) | 12:26 |
xek | rajiv_, if you think the documentation is lacking, maybe you can propose some changes | 12:26 |
xek | I'll happily review those | 12:27 |
rajiv_ | xek: sure, is there docu on how to do it ? i would like to raise few PR's. In my prod, HSM integration on FIPS mode also works, until firmware 7.4.0 | 12:27 |
xek | rajiv_, the documentation is in the project tree of either barbican or python-barbicanclient | 12:28 |
xek | in doc/source/ | 12:28 |
rajiv_ | roger that | 12:29 |
xek | Ok, let's go to the last topic | 12:30 |
xek | #topic Bug Review | 12:30 |
xek | There is one new bug | 12:31 |
xek | link https://storyboard.openstack.org/#!/story/2010625 | 12:31 |
xek | ====================================================== | 12:31 |
xek | #link https://storyboard.openstack.org/#!/story/2010625 | 12:31 |
xek | The main issue seems to be the accumulating non-deleted entries in orders table | 12:33 |
xek | when using castellan | 12:33 |
dmendiza[m] | Yeah, reading through the bug report | 12:34 |
xek | dmendiza, maybe we can sync later to decide if one of the proposed weys to get around this is how we want to proceed | 12:35 |
xek | *ways | 12:35 |
dmendiza[m] | Looks like they've started a thread on openstack-discuss as well: | 12:35 |
dmendiza[m] | #link https://lists.openstack.org/pipermail/openstack-discuss/2023-March/032585.html | 12:35 |
xek | Ok, I guess we can continue the discussion there | 12:36 |
dmendiza[m] | Grzegorz Grasza: yeah, let's get ade_lee 's opinion too | 12:36 |
xek | Ok, that completes the list of topics for today | 12:37 |
xek | See y'all next week! | 12:37 |
dmendiza[m] | Thanks, Grzegorz Grasza ! | 12:38 |
xek | #endmeeting | 12:38 |
opendevmeet | Meeting ended Tue Mar 7 12:38:12 2023 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 12:38 |
opendevmeet | Minutes: https://meetings.opendev.org/meetings/barbican/2023/barbican.2023-03-07-12.02.html | 12:38 |
opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/barbican/2023/barbican.2023-03-07-12.02.txt | 12:38 |
opendevmeet | Log: https://meetings.opendev.org/meetings/barbican/2023/barbican.2023-03-07-12.02.log.html | 12:38 |
*** blarnath is now known as d34dh0r53 | 14:58 | |
bkranendonk | Hello all. is it true that only the MKEK key will be stored in a HSM using the PCKS11 implementation? | 15:25 |
bkranendonk | And that all KEK keys will be stored and encrypted in the MySQL db? | 15:26 |
dmendiza[m] | Hi bkranendonk | 18:43 |
dmendiza[m] | Yes, the current implementation of the PKCS#11 backend only stores two keys in the hsm: The MKEK and the MHMAC | 18:44 |
dmendiza[m] | All PKEKs are stored as ciphertext in the DB | 18:45 |
dmendiza[m] | it was an early design decision due to severely constrained storage limits in Thales Luna HSMs | 18:45 |
dmendiza[m] | e.g. a reasonably sized cloud could fill up the storage in an HSM in a matter of days | 18:46 |
dmendiza[m] | PKEKs are only unwrapped inside the HSM and never leave the HSM unencrypted. | 18:48 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!