Configure Barbican to Use Utimaco HSM | Utimaco Integration Guides

Edit the barbican.conf file located in /etc/barbican using your preferred text editor and add the following configuration to the file. Make sure to replace the placeholders in <> with relevant values used when initializing the PKCS#11 slot in previous steps. Additional information on the configurations can be found here.

`barbican.conf`
`[secretstore]` `enabled_secretstore_plugins = store_crypto` `[crypto]` `enabled_crypto_plugins = p11_crypto` `[p11_crypto_plugin]` `# Path to vendor PKCS11 library (string value)` `library_path = /opt/utimaco/lib/libcs_pkcs11_R3.so` `# Token label used to identify the token to be used.` `token_label = <label>` `# Password to login to PKCS11 session (string value)` `login = <CryptoUser_PIN>` `# Master KEK and HMAC key labels (as stored in the HSM) (string value)` `mkek_label = mkek_utimaco` `hmac_label = hmac_utimaco` `# (Optional) HSM Slot ID that contains the token device to be used. (integer value)` `slot_id = <slot_id>` `# Secret encryption mechanism (string value) - can be changed with secrets present in the project:` `# CKM_AES_CBC (default) or CKM_AES_GCM` `encryption_mechanism = CKM_AES_CBC` `# Key wrapping mechanism used to wrap the PKEK with the MKEK (string value) - can not be changed after secrets are present in the project:` `# CKM_AES_CBC_PAD (default) or CKM_AES_KEY_WRAP_PAD or CKM_AES_KEY_WRAP_KWP (recommended by OpenStack for new deployments)` `key_wrap_mechanism = CKM_AES_KEY_WRAP_KWP` `# Whether to generate and pass an IV to the key wrap operation (boolean value)` `# Should be True (default) for CKM_AES_CBC_PAD and False for CKM_AES_KEY_WRAP_PAD/KWP` `key_wrap_generate_iv = False`

barbican.conf

[secretstore]
enabled_secretstore_plugins = store_crypto

[crypto]
enabled_crypto_plugins = p11_crypto

[p11_crypto_plugin]
# Path to vendor PKCS11 library (string value)
library_path = /opt/utimaco/lib/libcs_pkcs11_R3.so

# Token label used to identify the token to be used.
token_label = <label>

# Password to login to PKCS11 session (string value)
login = <CryptoUser_PIN>

# Master KEK and HMAC key labels (as stored in the HSM) (string value)
mkek_label = mkek_utimaco
hmac_label = hmac_utimaco

# (Optional) HSM Slot ID that contains the token device to be used. (integer value)
slot_id = <slot_id>

# Secret encryption mechanism (string value) - can be changed with secrets present in the project:
# CKM_AES_CBC (default) or CKM_AES_GCM
encryption_mechanism = CKM_AES_CBC

# Key wrapping mechanism used to wrap the PKEK with the MKEK (string value) - can not be changed after secrets are present in the project:
# CKM_AES_CBC_PAD (default) or CKM_AES_KEY_WRAP_PAD or CKM_AES_KEY_WRAP_KWP (recommended by OpenStack for new deployments)
key_wrap_mechanism = CKM_AES_KEY_WRAP_KWP

# Whether to generate and pass an IV to the key wrap operation (boolean value)
# Should be True (default) for CKM_AES_CBC_PAD and False for CKM_AES_KEY_WRAP_PAD/KWP
key_wrap_generate_iv = False

As mentioned in the comment above the parameter, key_wrap_mechanism must be defined before any secrets are stored in the OpenStack project, as it cannot be changed afterward.

In addition to the default CKM_AES_CBC_PAD, the following key wrapping mechanisms are available:

CKM_AES_KEY_WRAP_PAD
CKM_AES_KEY_WRAP_KWP

For new deployments, OpenStack recommends using CKM_AES_KEY_WRAP_KWP, as it provides a standards-compliant implementation of AES Key Wrap with Padding (RFC 5649) and better interoperability across HSM vendors.

mkek_utimaco and hmac_utimaco keys will be generated on the Utimaco HSM in slot 0 in the next section of this document.