Jump to: navigation, search

Barbican/Blueprints/dogtag-plugin

< Barbican‎ | Blueprints
Revision as of 23:38, 16 January 2014 by Lisa Clark (talk | contribs) (References)

Abstract

This blueprint is for creating a Barbican crypto plugin so that Barbican deployments can use the RedHat DogTag Data Recovery Manager (DRM) as a key management back-end.

Description

To support a RedHat DRM as a key management back-end, changes will be needed relative to 2 main workflows:

  1. Creating a secret
Create Secret using DogTag Plugin
NOTE: Between Barbican and DRM will be the DogTag plugin to integrate with DRM.
  1. Retrieving a secret
Retrieving a Secret using DogTag Plugin

Proposed Changes

  • python-barbicanclient
  1. Modify to support retrieving a transport key for encryption and decryption between Barbican client and Barbican
  2. Generate a session key for the lifespan of the transaction to encrypt data sent and decrypt data received
  3. Allow clients to optionally provide a passphrase, else self generate.
  4. Decrypt the retrieved secret using the session encrypted passphrase.
  • Barbican
  1. API
    1. New resource to retrieve a transport key and to use the crypto plugin to retrieve a transport key
  2. Crypto Plugin interface
    1. modify create() method to return the encrypted datum (vs the current raw data). It should have the same return contract as the encrypt() method (i.e. the secret generation and the secret encryption operations will be combined).
    2. new method() to return a transport key

References

[1] Blueprint

[2] Barbican on Github

[3] Python Barbican Client on Github

[4] RedHat DogTag