| rajiv | Hi | 15:02 |
|---|---|---|
| rajiv | is there no meeting today ? | 15:03 |
| dmendiza[m] | Grzegorz Grasza: around? | 15:08 |
| rajiv | Hey | 15:09 |
| rajiv | dmendiza[m]: i wanted to follow up on last weeks topic, wrt pkek | 15:10 |
| rajiv | so the encryption takes place here : https://opendev.org/openstack/barbican/src/branch/stable/2023.2/barbican/plugin/crypto/p11_crypto.py#L218-L233 | 15:11 |
| rajiv | which gets referred to here right ? https://opendev.org/openstack/barbican/src/branch/stable/2023.2/barbican/plugin/crypto/base.py#L262-L282 | 15:12 |
| rajiv | does this mean this Class is called only when a new project is created ? the key doesnt exists in DB ? | 15:13 |
| dmendiza[m] | rajiv: Right, so for the PKCS#11 backend, the MKEK and HMAC exist in the HSM. Then the first time a project uses Barbican (not when they are created in Keystone) - that's when the PKEK is created for that project. The PKEK is encrypted using the MKEK and the resulting cyphertext for the PKEK is stored in the DB. | 15:17 |
| rajiv | thanks for confirming | 15:19 |
| rajiv | is there a way to create the pkek manually ? | 15:20 |
| dmendiza[m] | Hmm... I don't think so. | 15:20 |
| rajiv | okay, could you share the file link as to where the pkek is actually created ? | 15:21 |
| rajiv | i wanted to know if there is a way to control the creation | 15:23 |
| rajiv | should i raise an issue or mail thread to discuss this further ? | 15:38 |
| dmendiza[m] | rajiv: I don't remember off the top of my head, so I'm looking through the plugin code right now ... hang on ... | 15:52 |
| rajiv | sure, thank you | 15:53 |
| dmendiza[m] | rajiv: This is where PKEK gets generated: | 16:06 |
| dmendiza[m] | Currently we are out of stock on the DEVELOPER/DESIGNER - Lenovo laptop model. | 16:06 |
| dmendiza[m] | rajiv: this is where the PKEK gets generated: https://opendev.org/openstack/barbican/src/branch/stable/2023.2/barbican/plugin/crypto/p11_crypto.py#L443-L445 | 16:07 |
| dmendiza[m] | rajiv: it happens when `store_secret` is called on the StoreCrypto plugin: https://opendev.org/openstack/barbican/src/branch/stable/2023.2/barbican/plugin/store_crypto.py#L81-L83 | 16:08 |
| rajiv | i see, `CKM_AES_KEY_GEN` is initiated via the HSM device i think ? | 16:09 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!