Breadcrumbs

Encrypting and Decrypting Secrets

  1. Authenticate the current shell with OpenStack admin credentials.

›_ Console

# source ~/devstack/openrc admin admin

  1. Create a secret or password.

›_ Console

# openstack secret store --name Utimaco123 --payload FlamingoPassword


09_SecretCreated.png


Creating a secret in OpenStack Barbican

Here Utimaco123 is the secret name and its value is FlamingoPassword. This secret is stored in an encrypted form in OpenStack Barbican.

  1. You can also verify the encryption operation logging in PKCS11 log file cs_pkcs11_R3.log during secret generation as shown below.


10_SecretCreated_Logs_PKCS11.png


Key wrapping and secret encryption in PKCS#11 logs

The PKCS#11 logs show how Barbican uses the HSM to create and store secrets, including session setup, key generation, key wrapping, encryption, and HMAC operations, with the active cryptographic mechanisms (key wrapping, encryption, etc.) visible in the log entries. The initial secret creation includes one-time project setup (PKEK generation and wrapping under the MKEK), while subsequent secrets reuse this setup and primarily perform encryption and storage operations, resulting in shorter log sequences.

  1. Retrieve the newly created secret metadata.

›_ Console

# openstack secret get <secret_href>


11_GetSecretInformation.png


Retrieving the newly created secret metadata

  1. Retrieve the newly created secret payload.

›_ Console

# openstack secret get <secret_href> --payload


11_GetSecretValue.png


Retrieving the newly created secret value

The secret is first decrypted and then displayed.

  1. You can also verify the decryption operation logging in PKCS11 log file cs_pkcs11_R3.log during secret retrieval as shown below.

12_GetSecretWithValue_Logs_PKCS11.png


Secret decryption in PKCS#11 logs