Configure OpenStack Barbican to Use Utimaco HSM | Utimaco Integration Guides

Add the below information to the barbican.conf file. Make sure to replace the placeholders in <> with relevant values.

barbican.conf

[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto

[crypto]
enabled_crypto_plugins = p11_crypto

[p11_crypto_plugin]

# Path to Utimaco PKCS#11 library
library_path = /opt/utimaco/lib/libcs_pkcs11_R2.so

# CryptoUser PIN to login to PKCS#11
login = <CryptoUser_PIN>

# Master Key Encryption Key and HMAC labels
mkek_label = mkek_utimaco
mkek_length = 32
hmac_label = hmac_utimaco

# HSM Slot ID (Iinteger value)
slot_id = <slot_id>

# AES encryption mechanism (as used by Utimaco)
encryption_mechanism = CKM_AES_CBC

mkek_utimaco and hmac_utimaco keys will be generated on the Utimaco HSM in slot 1 in the next section of this document.