Breadcrumbs

Encrypting and Decrypting Secrets

  1. Create a secret or password.

›_ Console

# openstack secret store --name utimaco123 --payload password


image-20250612-102714.png
Creating a secret with OpenStack Barbican

Here utimaco123 is the secret name and its value is password. This secret is stored in an encrypted form in openstack barbican.

  1. You can also verify the encryption operation logging in PKCS11 log file cs_pkcs11_R3.log during secret generation as shown below.

image-20250612-102810.png
pkcs#11 Logs

  1. Fetch the secret that was created without its value.

›_ Console

# openstack secret get http://barbican:9311/v1/secrets/8ac7918d-36ce4cae-b1d9-a2a818ea30a0


image-20250612-102913.png
Get secret without payload

  1. Fetch the secret that was created with its value.

›_ Console

# openstack secret get http://barbican:9311/v1/secrets/8ac7918d-36ce-

4cae-b1d9-a2a818ea30a0 --payload


image-20250612-103035.png
Get secret with payload

The secret is decrypted first and displayed.

  1. You can also verify the decryption operation logging in PKCS11 log file cs_pkcs11_R3.log during secret retrieval as shown below.

image-20250612-103139.png
pkcs#11 Logs