OpenStack Barbican, Cryptography for Managing Secrets in the Cloud

The next phase of security evolution requires enabling the developers to include security features in their code and not rely on point products that may or may not fit well with the application architecture. The twelve factor applications of the modern era depend on open source technologies to support the rapid development of ‘secure’ new stacks. During my research last year on technologies that offer programmable security features on scale, a particular project caught my attention, one that looked at the problem of storage, provision and management of secrets for the cloud differently.

OpenStack Barbican is a platform developed by the OpenStack community aimed at providing cryptographic functions useful for all environments, including large ephemeral clouds.

Jarret Raim at Rackspace is Barbican’s Program Technical Lead and I had an opportunity to speak to him about the project.

The show is available for download. Here are a few notes from our discussion.

Barbican was initiated by Jarret Raim and his team at Rackspace around a year ago. The requirement for the project stemmed from gaps identified by Jarret and his team in OpenStack services like Nova (compute), Swift (object storage) and others. There was a desire to include encryption features in various OpenStack services but there were no specific plans or solutions. Additionally, Rackspace was aiming to rebuild its SSL certificate offering. Hence, Barbican was initiated as a project formerly named CloudKeep, a REST API built in Python.

There were a lot of people wanting to offer encryption in OpenStack services like Nova and Swift but with no execution plans.

We decided to build the Barbican platform that would solve these problems for OpenStack.

– Jarret Raim, Rackspace

Barbican will be released as part of OpenStack’s next release, named Juno, at the OpenStack Summit, Paris in November.

Organisations that have contributed significantly over the service incubation process include Redhat, HP, Intel, OpenStack Security Group team and engineers from Applied Physics Laboratory at The John Hopkins University. The code is available on GitHub for the interested cryptography engineers, enthusiasts and existing or potential contributors to review and provide input.

Currently, Barbican has good support for symmetric keys’ lifecycle management and various backends that allow you to choose how you’d like to protect your keys like Hardware Security Modules (HSMs). RedHat has contributed code to use a system called Dogtag – a RedHat Enterprise key manager and support for HP’s key manager is imminent.

This provides enterprises a unique opportunity to extend their existing investments in HSMs to provide security features for their cloud projects. Notably, Barbican’s architecture is scalable and available to access programmatically using established DevOps tools.

Image Source

For the Juno release, work is ongoing to include asymmetric key support, starting with SSL/TLS keys and extending it to SSH keys or any other type of key material. Additionally, the goal is to support public Certificate Authorities (CAs) like Symantec, DigiCert and others in relation to certificate management. The Load-Balancing-as-a-Service (LBaaS) within OpenStack is also looking to extend Barbican’s service for Juno.

Conclusion

Enabling easy access to security functionality for the developer in the modern programmable and scalable environments will ensure trust and increased adoption. Barbican is a unique and promising initiative that drives this model forward to make the cloud environments more secure.

Jarret Raim and Paavan Mistry can be reached for comments on Twitter @jarretraim and @98pm respectively.