Breadcrumbs

Using Different Encryption Mechanisms

The encryption algorithm used to encrypt secret payloads before they are stored in the database is configurable and depends on the PKCS#11 mechanism supported by the connected HSM.

By default, AES in CBC mode (CKM_AES_CBC) is used to encrypt the payloads. However, Barbican and u.Trust GP HSM also support additional encryption mechanisms, such as AES in GCM mode (CKM_AES_GCM).

Follow these steps to change the encryption mechanism, and to store a secret, and verify its use:

  1. Edit the Barbican configuration file barbican.conf and update the encryption_mechanism parameter under p11_crypto_plugin].

barbican.conf

[p11_crypto_plugin] 
# Path to Utimaco PKCS11 library 

library_path = /opt/utimaco/lib/libcs_pkcs11_R3.so 
# CryptoUser PIN to login to PKCS11

login = <PKCS11 Slot User PIN> 
# Master KEK label as stored in the HSM 

mkek_label = mkek_utimaco
# Master KEK length in bytes. (integer value)

mkek_length = 32 
# Master HMAC Key label (as stored in the HSM) (string value)

hmac_label = hmac_utimaco
# HSM Slot ID (integer value)

slot_id = 3

encryption_mechanism = CKM_AES_GCM

Save the file after making the change.

It is important to note that changing the encryption mechanism affects only newly created secrets. Existing secrets remain encrypted using the mechanism that was active at the time of their creation and can not be decrypted with a different mechanism.

  1. Restart the OpenStack-Barbican-API and httpd services.

›_ Console

# systemctl restart openstack-barbican-api.service

# systemctl restart httpd

  1. Generate a new secret.

›_ Console

# openstack secret store --name gcm_test_secret --payload testingGCM
StoreSecret_GCM.png


Storing a secret after changing encryption mechanism

  1. Verify the encryption mechanism used via Barbican Database.

›_ Console

# mysql

›_ mysql console

# USE barbican;

# SELECT secret_id, kek_meta_extended FROM encrypted_data ORDER BY created_at DESC;

The newly created secret will appear at the top of the table.

EncryptedData_Table.png


Table showing encryption mechanism used

  1. Confirm that the secret payload can be retrieved.

›_ Console

# openstack secret get <secret_href> --payload
GetGCMSecretPayload.png


Retrieving secret payload

  1. Change the encryption_mechanism parameter in the barbican.conf back to CKM_AES_CBC and restart the Barbican and httpd services.

  2. Attempting to retrieve the secret payload again results in an internal server error.

WrongAlgorithmUsed_WithoutCommand.png


Internal server error after attempting to retrieve payload with wrong mechanism

  1. An error also appears in the PKCS#11 logs that indicates that the decryption operation was attempted using parameters that do not match the original encryption mechanism. In this case the parameter is the initialization vector (IV) format and length as CKM_AES_CBC requires a 16-byte IV and CKM_AES_GCM requires a GCM parameter structure containing an IV (typically 12 bytes). If an IV does not match the requirements of the selected mechanism, the HSM rejects the operation.

PKCS11Log_InvalidIVLength.png


Invalid IV length error in PKCS#11 logs