Breadcrumbs

Key Rotation/Migration

KEK Rewrap Compatibility

In OpenStack Barbican Dalmatian, the PKCS#11 unwrap_key() interface requires an explicit encryption mechanism parameter, while the rewrap_pkek utility still uses an older call signature. Without alignment, KEK rewrapping fails. A small compatibility fix is required to pass the configured encryption mechanism to unwrap_key().

The compatibility fix is performed with the following steps:

  1. Locate the pkcs11_kek_rewrap.py script (default location is /opt/stack/barbican/barbican/cmd/pkcs11_kek_rewrap.py).

  2. Find the original code.

pkcs11_kek_rewrap.py

current_kek = self.pkcs11.unwrap_key(kek_mkek, iv, wrapped_key, session)

  1. Update the code.

pkcs11_kek_rewrap.py

current_kek = self.pkcs11.unwrap_key(self.pkcs11.key_wrap_mechanism, kek_mkek, iv, wrapped_key, session)

  1. Save the changes.

Perform the key rotation using the following steps:

  1. Generate a new MKEK using the p11tool2 GenerateKey command below.

›_ Console

# ./p11tool2 Slot=<slot_id> LoginUser=<CryptoUser_PIN> KeyAttr=CKA_LABEL="mkek_utimaco1234",CKA_VALUE_LEN=32,CKA_WRAP=true,CKA_UNWRAP=true,CKA_ENCRYPT=false,CKA_DECRYPT=false,CKA_EXTRACTABLE=false GenerateKey=AES


CreatedMKEK2.png


New MKEK generated

  1. Generate a new HMAC using the barbican-manage hsm gen_hmac command.

›_ Console

# sudo -u stack -E barbican-manage hsm gen_hmac --library-path '/opt/utimaco/lib/libcs_pkcs11_R2.so' --passphrase <CryptoUser_PIN> --slot-id <slot_id> --label 'hmac_utimaco1234' --length 32


CreatedHMAC2.png


New HMAC generated

  1. Verify that the keys are generated on the Utimaco HSM using the p11tool2 ListObjects command.

›_ Console

# ./p11tool2 slot=<slot_id> LoginUser=<CryptoUser_PIN> ListObjects


ListObjects_MKEK2.png


Listing keys with p11tool2 (MKEK)

ListObjects_HMAC2.png


Listing keys with p11tool2 (HMAC)

  1. Initialize and authorize the new keys using the procedure described in Initialize and Authorize HMAC and MKEK for CP5. The same authorization key KA.key can be used.

  2. Open barbican.conf and change the ‘mkek_label’ and ‘hmac_label’ values to the labels of keys created in previous steps.

barbican.conf

# Master Key Encryption Key and HMAC labels
mkek_label = mkek_utimaco1234
mkek_length = 32
hmac_label = hmac_utimaco1234

  1. Restart OpenStack Barbican services.

›_ Console

# sudo systemctl restart devstack@barbican*

  1. Run rewrap_pkek command to rewrap PKEK with the new MKEK.

›_ Console

# sudo -u stack -E barbican-manage hsm rewrap_pkek


RewrapPKEK.png


Rewrapping PKEK

  1. Verify that you can get value of the secret generated earlier.

›_ Console

# openstack secret get <secret_href> --payload


GetSecretWithValueAfterRewrap.png


Fetching secret's value after PKEK rewrap