Thanks a lot John for your response. It has helped me . Thanks and Regards, Asha Seshagiri
On Fri, Apr 17, 2015 at 2:28 PM, John Wood <[email protected]> wrote: > Hello Asha, > > So the last step you have is retrieving a decrypted secret from > Barbican. Barbican indeed stores the secret internally encrypted using an > internal KEK. When it is retrieved however, it is first decrypted by > Barbican and then returned the client decrypted. > > Beyond TLS to protect this information back to the client, there is also > a transport key feature that has not yet been fully supported via the > client library, that allows the client to select a session key that can be > used to encrypt the secret between the client and Barbican. > > Thanks, > John > > > From: Asha Seshagiri <[email protected]> > Date: Friday, April 17, 2015 at 1:02 PM > To: John Wood <[email protected]> > Cc: openstack-dev <[email protected]>, "Reller, Nathan > S." <[email protected]>, Douglas Mendizabal < > [email protected]>, Paul Kehrer <[email protected]>, > Adam Harwell <[email protected]>, Alexis Lee <[email protected]> > Subject: Re: Barbican : What is the difference between secret and order > resource > > Hi All, > > I would like to know if the keys generated by Barbican through the > order resource are encrypted using KEKS and then stored in the secret > object or is it stored in unencypted format. > > Any help would be highly appreciated. > > root@barbican:~# curl -H 'Accept: application/json' -H > 'X-Project-Id:12345' http ://localhost:9311/v1/orders > > Please find the command and response below : > > {"total": 3, "orders": [{"status": "ACTIVE", "secret_ref": > "*http://localhost:9311/v1/secrets/b3709da7-4691-40d6-af9a-1ae23772a7b2 > <http://localhost:9311/v1/secrets/b3709da7-4691-40d6-af9a-1ae23772a7b2>*", > "updated": "2015-03-13T22:27:48.866683", "meta": {"name": "secretname2", > "algorithm": "aes", "payload_content_type": "application/octet-stream", > "mode": "cbc", "bit_length": 256, "expiration": null}, "created": > "2015-03-13T22:27:48.844860", "type": "key", "order_ref": " > http://localhost:9311/v1/orders/5a4844ca-47a9-4bd7-ae56-fb84655f48d9 > "},.... > > root@barbican:~# curl -H 'Accept: application/json' -H > 'X-Project-Id:12345' > http://localhost:9311/v1/secrets/b3709da7-4691-40d6-af9a-1ae23772a7b2 > {"status": "ACTIVE", "secret_type": "opaque", "updated": > "2015-03-13T22:27:48.863403", "name": "secretname2", "algorithm": "aes", > "created": "2015-03-13T22:27:48.860600", "secret_ref": " > http://localhost:9311/v1/secrets/b3709da7-4691-40d6-af9a-1ae23772a7b2";, > "content_types": {"default": "application/octet-stream"}, "expiration": > null, "bit_length": 256, "mode": "cbc"} > > > root@barbican:~# curl -H 'Accept:application/octet-stream' -H > 'X-Project-Id:12345' > http://localhost:9311/v1/secrets/b3709da7-4691-40d6-af9a-1ae23772a7b2 > ▒▒R▒v▒▒▒W▒4▒A?Md▒L[▒K4A▒▒bx▒▒▒ - >* would like to know if this response > is encyprted by barbican using KEKS or it is unencypted format whose > content type is application/octet-stream* > > > Thanks and Regards, > Asha Seshagiri > > On Fri, Apr 17, 2015 at 11:30 AM, Asha Seshagiri <[email protected] > > wrote: > >> Thanks a lot John for your response. >> >> I also thank everyone who has been responding to my queries if I have >> missed someone . >> There was some problem while configuring my email .I do not receive the >> email response directly from openstack Dev group.I would check the archive >> folder for that. >> I will have a look into it >> >> Once again , it's nice working and collaborating with the openstack >> Dev -group. >> >> Thanks and Regards, >> Asha Seshagiri >> >> >> >> >> >> >> >> >> >> >> >> jh >> >> >> >> Thanks and Regards, >> Asha Seshagiri >> >> On Thu, Apr 16, 2015 at 8:10 AM, John Wood <[email protected]> >> wrote: >> >>> Hello Asha, >>> >>> The /v1/secrets resource is used to upload, encrypt and store your >>> secrets, and to decrypt and retrieve those secrets. Key encryption keys >>> (KEKs) internal to Barbican are used to encrypt the secret. >>> >>> The /v1/orders resource is used when you want Barbican to generate >>> secrets for you. When they are done they give you references to where the >>> secrets are stored so you can retrieve them via the secrets resource above. >>> >>> Hope that helps! >>> >>> Thanks, >>> John >>> >>> From: Asha Seshagiri <[email protected]> >>> Date: Thursday, April 16, 2015 at 1:23 AM >>> To: openstack-dev <[email protected]> >>> Cc: John Wood <[email protected]>, "Reller, Nathan S." < >>> [email protected]>, Douglas Mendizabal < >>> [email protected]>, Paul Kehrer < >>> [email protected]>, Adam Harwell <[email protected]>, >>> Alexis Lee <[email protected]> >>> Subject: Barbican : What is the difference between secret and order >>> resource >>> >>> Hi All , >>> >>> What is the difference between secret and the order resource ? >>> Where is the key stored that is used for encrypting the payload in the >>> secret resource and how do we access it. >>> >>> According to my understanding , >>> >>> Storing/Posting the secret means we are encrypting the actual >>> information(payload) using the key generated internally by the barbican >>> based on the type mentioned in the secret type. >>> Geting the secret means we are decryprting the information and geting >>> the actual information. >>> >>> Posting the order refers to the generation of the actual keys by the >>> barbican and encyrpting those keys based on the algorithm and the internal >>> key generated by barbican. >>> This encrypted key is referred through the secret reference and the >>> whole meta data is referred through a order reference. >>> >>> Please correct me if I am wrong. >>> Any help would be highly appreciated. >>> >>> >>> -- >>> *Thanks and Regards,* >>> *Asha Seshagiri* >>> >> >> >> >> -- >> *Thanks and Regards,* >> *Asha Seshagiri* >> > > > > -- > *Thanks and Regards,* > *Asha Seshagiri* > -- *Thanks and Regards,* *Asha Seshagiri*
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
