Jump to: navigation, search


Castellan is a generic Key Manager interface developed by the Barbican team. It enables projects to use a configurable key manager that can be deployment specific.


Isn't Barbican the official Key Manger for OpenStack? We would like Barbican to be the official Key Manager, however a few projects were hesitant to add Barbican as a requirement. We noticed that these projects were using similar key manager interfaces to be able to use Barbican when available, or another interface implementation when Barbican was not available. In order to reduce code duplication across OpenStack, we created Castellan to be the common key manager abstraction. You can think of Castellan as a sort of oslo.key_manager with different drivers for different key management systems.

So I should use Castellan instead of python-barbicanclient? It depends. Castellan strives to be a lowest-common-denominator key manager interface, so it is limited to key management features that are common across many key management systems. If you just need basic storage of secrets and you want to ensure your project can run in clouds without Barbican, then Castellan may be right for you.

Barbican does offer a lot of good features that are not available in any other key managers. If you want to take advantage of those features, and you know your app will be used in a cloud with a Barbican deployment, then you should use python-barbicanclient instead.

What other drivers are available for Castellan besides the Barbican? Currently, only the Barbican driver is recommended for production use. However, a KMIP device driver is on the roadmap.