Breadcrumbs

Key Rotation/Migration

KEK Rewrap Compatibility

In OpenStack Barbican Flamingo, the PKCS#11 unwrap_key() interface requires an explicit key wrap mechanism parameter, while the rewrap_pkek utility still uses an older call signature. Without alignment, PKEK rewrapping fails. A small compatibility fix is required to pass the configured key wrapping mechanism mechanism to unwrap_key().

The compatibility fix is performed with the following steps:

  1. Locate the pkcs11_kek_rewrap.py script (default location is /opt/stack/barbican/barbican/cmd/pkcs11_kek_rewrap.py).

  1. Find the original code.

pkcs11_kek_rewrap.py

current_kek = self.pkcs11.unwrap_key(kek_mkek, iv, wrapped_key, session)

  1. Update the code.

pkcs11_kek_rewrap.py

current_kek = self.pkcs11.unwrap_key(self.pkcs11.key_wrap_mechanism, kek_mkek, iv, wrapped_key, session)

  1. Save the changes.

Perform the key rotation using the following steps:

  1. Create a new MKEK using the barbican-manage hsm gen_mkek command.

›_ Console

# sudo -u stack -i barbican-manage hsm gen_mkek --library-path '/opt/utimaco/lib/libcs_pkcs11_R3.so' --passphrase <CryptoUser_PIN>
--slot-id <slot_id> --label 'mkek_utimaco_rewrap' --length 32


33_CreatedRewrapMKEK.png


Rewrap MKEK generated

  1. Create a new HMAC using the barbican-manage hsm gen_hmac command.

›_ Console

# sudo -u stack -i barbican-manage hsm gen_mkek --library-path '/opt/utimaco/lib/libcs_pkcs11_R3.so' --passphrase <CryptoUser_PIN>
--slot-id <slot_id> --label 'hmac_utimaco_rewrap' --length 32


34_CreatedRewrapHMAC.png


Rewrap HMAC generated

  1. Verify that the keys are generated on the Utimaco HSM using the p11tool2 ListObjects command.

›_ Console

# ./p11tool2 slot=<slot_id> LoginUser=<CryptoUser_PIN> ListObjects


35_ListObjects_RewrapHMAC_MKEK.png


Listing rewrap keys with p11tool2

  1. Edit the barbican.conf file located in /etc/barbican using your preferred text editor and change the mkek_label and hmac_label parameter values to the labels used when creating the new MKEK and HMAC.

barbican.conf

# Master KEK and HMAC key labels (as stored in the HSM) (string value)
mkek_label = mkek_utimaco_rewrap
hmac_label = hmac_utimaco_rewrap

  1. Restart OpenStack Barbican service.

›_ Console

# sudo systemctl restart devstack@barbican-svc.service

  1. Optional: Run the rewrap_pkek command with --dry-run option to display the changes that will be made.

›_ Console

# sudo -u stack -i barbican-manage hsm rewrap_pkek --dry-run


36_RewrapPKEK_DryRun.png


Rewrapping PKEK (dry run)

  1. Run the rewrap_pkek command to rewrap PKEK with the new MKEK.

›_ Console

# sudo -u stack -i barbican-manage hsm rewrap_pkek


37_RewrapPKEK.png


Rewrapping PKEK

  1. You can verify the rewrap operation logging in the PKCS#11 log file cs_pkcs11_R3.log.

38_RewrapPKEK_Logs_PKCS11.png


PKEK rewrapping in PKCS#11 logs

  1. Verify that you can retrieve the payloads of the secrets generated earlier.

›_ Console

# openstack secret get <secret_href> --payload


39_GetSecretWithValueAfterRewrap.png


Retrieving secret value after PKEK rewrap