#openstack-barbican log

15:03:55 <xek> #startmeeting barbican
15:03:55 <opendevmeet> Meeting started Mon Aug 12 15:03:55 2024 UTC and is due to finish in 60 minutes.  The chair is xek. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:03:55 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:03:55 <opendevmeet> The meeting name has been set to 'barbican'
15:04:08 <xek> #topic Roll Call
15:04:19 <xek> Courtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung mharley lpiwowar
15:04:20 <xek> o/
15:04:27 <d34dh0r53> o/
15:04:28 <dmendiza[m]> 🙋‍♂️
15:04:33 <xek> As usual our agenda can be found here:
15:04:40 <xek> #link https://etherpad.openstack.org/p/barbican-weekly-meeting
15:04:56 <xek> Just the usual topics today
15:05:25 <xek> #topic Review Past Meeting Action Items
15:05:42 <xek> #link https://meetings.opendev.org/meetings/barbican/2024/barbican.2024-08-05-15.01.html
15:05:44 <xek> There were none
15:05:57 <xek> #topic Liaison Updates
15:07:54 <xek> TC Nominations and PTL Nominations start in
15:08:02 <xek> 2d 8h 37m
15:08:09 <xek> #link https://governance.openstack.org/election/
15:08:53 <xek> That's all I had
15:09:27 <rajiv> Hi, i have few questions, if there are no topics on the agenda.
15:09:34 <xek> #topic Open Discussion
15:09:49 <xek> rajivgo ahead :)
15:09:51 <rajiv> Which table is updated with mkek and hmac keys ?
15:10:31 <rajiv> i couldnt find the keys in kek_id or encrypted_data table
15:11:44 <dmendiza[m]> Hi rajiv
15:13:34 <dmendiza[m]> When using the PKCS#11 backend, you actually have two rounds of encryption
15:13:35 <rajiv> Hey Doug,
15:13:49 <xek> I would guess this will be in the secrets table?
15:14:13 <dmendiza[m]> Barbican creates a PKEK, which stands for Project-specific Key Encryption Key
15:14:30 <dmendiza[m]> The MKEK and HMAC keys are used to encrypt the PKEK, and are not used to encrypt secrets
15:14:53 <dmendiza[m]> the Secrets themselves are encrypted using the PKEK that belongs to the Project in the context object
15:15:48 <rajiv> the background is the hsm device went down
15:15:52 <dmendiza[m]> The details should be stored in kek_meta_dto and kek_meta_extend, although I don't recall off the top of my head which table that is.
15:16:59 <rajiv> when i tried to create a new key with same label i had errors
15:17:15 <rajiv> hence i had to update all keys with new kek_id
15:17:35 <rajiv> are these columns or tables ? kek_meta_dto and kek_meta_extend
15:17:54 <dmendiza[m]> Hmmm....   by "create a new key" do you mean you have a different key than before?
15:18:39 <rajiv> yes for both scenarios
15:19:16 <dmendiza[m]> Updating the Key ID will not work if that's the case
15:19:25 <dmendiza[m]> OK, so, unless you have a backup of the old key and are able to restore the old key to your HSM then I am afraid all your data is lost
15:19:36 <rajiv> if a new key is created, whats the workflow wrt db ?
15:19:40 <dmendiza[m]> Encryption and Decryption work with a specific key.  If you encrypt something with key X and then try to decrypt with key Y, you will not be able to.
15:19:50 <rajiv> yes, i learnt this the hard way
15:20:11 <dmendiza[m]> The best way to move forward is to change the name of your new key
15:20:19 <dmendiza[m]> and accept that data encrypted with the old key is now lost forever. :(
15:21:12 <rajiv> very true, i was presuming updating the db with kek_id on the encryption_data table will help, hence i am asking for details.
15:21:54 <dmendiza[m]> You may be able to trick barbican into using the new key if you updated the DB data, but ultimatley decryption will fail because the old key is not available.
15:22:13 <dmendiza[m]> e.g.
15:22:19 <rajiv> i created multiple keys on the partition but i see only which is configured but i dont see the new keys
15:23:00 <rajiv> yes, thats my intent to take care if the keys are lost
15:24:48 <dmendiza[m]> Managing the KEK in the HSM is outside of the scope of Barbican.  You should be able to look at all the keys stored in the HSM using a tool provided by your vendor.
15:25:07 <rajiv> okay, this query dint help "select * from kek_data where plugin_name='barbican.plugin.crypto.p11_crypto.P11CryptoPlugin';"
15:25:45 <rajiv> if i get the id of the new keys in the kek_id table, i can play around with barbican-manage or api to help me
15:30:07 <rajiv> the id from kek_id table is used in the encrypted_data table where the secrets are encrypted with, hence if i know how barbican fetches or creates the new keys on the db level, i can adapt my scripts accordingly.
15:31:15 <rajiv> i also found CKR_INVALID_SIGNATURE in barbican logs if multiple keys are present on the same partition to which barbican is configured.
15:32:09 <rajiv> lastly, has anyone played around with multiple barbican instances in 1 openstack installation ? i have requirement to support customer per barbican instance in 1 openstack installation
15:32:58 <dmendiza[m]> Hmm... that is  .... interesting.  Barbican does provide tenant-separation, so having a whole new deployment for a single tenant seems like overkill
15:33:45 <dmendiza[m]> I have no experience doing that.  The tricky part might be configuring keystone to provide the correct URL in the endpoint list
15:34:16 <dmendiza[m]> Also, I'm not sure how keystonemiddleware would prevent a valid tenant from using a barbican instance
15:34:23 <dmendiza[m]> you might need to write your own middleware for that
15:34:52 <rajiv> okay thanks
15:35:12 <rajiv> so to conclude, how to find the table for in which the keys are stored ?
15:35:30 <rajiv> i presume reviewing this https://review.opendev.org/c/openstack/barbican/+/923822 would take longer ?
15:36:33 <rajiv> i looked into https://github.com/openstack/barbican/blob/stable/2023.2/barbican/plugin/crypto/pkcs11.py to understand the DB follow but had no luck, are there any other hints on where to search ?
15:38:34 <dmendiza[m]> I think this is the DB model you're looking for: https://opendev.org/openstack/barbican/src/branch/master/barbican/model/models.py#L544
15:40:11 <rajiv> i looked into this already ;) as it pointed to kek_data table, this was the basis for my initial conversation
15:40:31 <dmendiza[m]> Actual secrets are stored here: https://opendev.org/openstack/barbican/src/branch/master/barbican/model/models.py#L503 and should have a reference to the PKEK used
15:46:43 <dmendiza[m]> I'm out on PTO the rest of the week, but remind me again next week and I will try to take a deeper look.
15:47:25 <rajiv> okay sure
15:48:20 <xek> ok, let's continue to the last topic :)
15:48:26 <xek> #topic Bug Review
15:48:52 <xek> There were no new bugs reported
15:49:05 <xek> That's it for today
15:49:09 <xek> See y'all next week!
15:49:09 <xek> #endmeeting