Jump to: navigation, search



This blueprint is for creating a Barbican crypto plugin so that Barbican deployments can use the RedHat DogTag Data Recovery Manager (DRM) as a key management back-end.


To support a RedHat DRM as a key management back-end, changes will be needed relative to 2 main workflows:

Creating a secret

Create Secret using DogTag Plugin
NOTE: Between Barbican and DRM will be the DogTag plugin to integrate with DRM.

Retrieving a secret

Retrieving a Secret using DogTag Plugin

Proposed Changes

  • python-barbicanclient
  1. Modify to support retrieving a transport key for encryption and decryption between Barbican client and Barbican
  2. Generate a session key for the lifespan of the transaction to encrypt data sent and decrypt data received
  3. Allow clients to optionally provide a passphrase, else self generate.
  4. Decrypt the retrieved secret using the session encrypted passphrase.
  • Barbican
  1. API
    1. New resource to retrieve a transport key and to use the crypto plugin to retrieve a transport key
    2. Initial setup: During installation of a DogTag DRM, a user and certificate is created and the public cert is available for use in Barbican
    3. Config changes to support configuration specific to DogTag Plugin
  2. Crypto Plugin interface
    1. modify create() method to return the encrypted datum (vs the current raw data). It should have the same return contract as the encrypt() method (i.e. the secret generation and the secret encryption operations will be combined).
    2. new method() to return a transport key
  3. Dev Plugin
    1. Modify to support different contract behavior on create()
  4. DogTag Crypto Plugin
    1. abstraction layer for the DogTag Python library


[1] Blueprint

[2] Barbican on Github

[3] Python Barbican Client on Github

[4] RedHat DogTag

[5] DogTag REST

[6] Using the Python Key Client