Breadcrumbs

Using Different Encryption Mechanisms

The encryption algorithm used to encrypt secret payloads before they are stored in the database is configurable and depends on the PKCS#11 mechanism supported by the connected HSM.

By default, AES in CBC mode (CKM_AES_CBC) is used to encrypt the payloads. However, Barbican and u.Trust GP HSM also support additional encryption mechanisms, such as AES in GCM mode (CKM_AES_GCM).

Follow these steps to change the encryption mechanism, store a secret, and verify its use:

  1. Edit the Barbican configuration file barbican.conf using your preferred text editor and update the encryption_mechanism parameter under p11_crypto_plugin].

barbican.conf

# Secret encryption mechanism (string value) - can be changed with secrets present in the project:
# CKM_AES_CBC (default) or CKM_AES_GCM
encryption_mechanism = CKM_AES_GCM

Save the file after making the change.

It is important to note that changing the encryption mechanism affects only newly created secrets. Existing secrets remain encrypted using the mechanism that was active at the time of their creation and can not be decrypted with a different mechanism.

  1. Restart the OpenStack Barbican service.

›_ Console

# sudo systemctl restart devstack@barbican-svc.service

  1. Generate a new secret.

›_ Console

# openstack secret store --name Utimaco123_GCM --payload FlamingoPassword_GCM


41_SecretCreated_GCM.png


Storing a secret after changing the encryption mechanism

  1. Verify the encryption mechanism used via the PKCS#11 log file cs_pkcs11_R3.log.

41_SecretCreated_GCM_Logs_PKCS11_Marked.png


  1. Verify the encryption mechanism used via Barbican database.

›_ Console

# mysql

›_ mysql console

# USE barbican;

# SELECT secret_id, kek_meta_extended FROM encrypted_data ORDER BY created_at DESC;

The newly created secret will appear at the top of the table.

42_EncryptionMechanismInBarbicanDatabase.png


Table showing encryption mechanism used

  1. Confirm that the secret payload can be retrieved.

›_ Console

# openstack secret get <secret_href> --payload
43_RetrievingSecretPayload_GCM.png


Retrieving secret value with correct encryption mechanism

  1. Change the encryption_mechanism parameter in the barbican.conf back to CKM_AES_CBC and restart the Barbican service.

  2. Attempting to retrieve the secret payload again results in an internal server error.

44_RetrievingSecretPayloadWithWrongMechanism_Logs_PKCS11.png


Internal server error after attempting to retrieve payload with wrong mechanism

  1. An error also appears in the PKCS#11 logs that indicates that the decryption operation was attempted using parameters that do not match the original encryption mechanism. In this case the parameter is the initialization vector (IV) format and length as CKM_AES_CBC requires a 16-byte IV and CKM_AES_GCM requires a GCM parameter structure containing an IV (typically 12 bytes). If an IV does not match the requirements of the selected mechanism, the HSM rejects the operation.

45_RetrievingSecretPayloadWithWrongMechanism_Logs_PKCS11.png


Invalid IV length error in PKCS#11 logs