配置密钥存储后端¶
密钥管理服务具有插件架构,允许部署者将密钥存储在一个或多个密钥存储中。密钥存储可以是基于软件的,例如仅软件加密机制,也可以是硬件设备,例如硬件安全模块 (HSM)。
密钥存储实现加密机制以及加密密钥的存储。
本节比较了当前可用的所有插件,以及在决定使用哪些插件时需要考虑的安全权衡。
简单加密插件¶
此后端插件使用仅软件的方式实现加密。加密后的密钥存储在 Barbican 数据库中。
此加密插件默认在 /etc/barbican/barbican.conf 中配置。
此插件使用单个对称密钥 (kek - 或“密钥加密密钥”) - 该密钥以明文形式存储在 /etc/barbican/barbican.conf 文件中,用于加密和解密所有密钥。
安全性 |
⚠ 主密钥 (KEK) 存储在配置文件中 |
成熟度 |
✅ 在每个补丁中进行测试 |
易用性 |
✅ 易于部署
❌ 密钥轮换会中断
(所有密钥必须重新加密)
|
可扩展性 |
✅ 存储可以在 SQL DB 中扩展
✅ 故障转移/HA 简单,只需运行更多 barbican-api 实例
✅ 高性能 - 软件加密速度快
|
成本 |
✅ 免费 (像啤酒一样) |
警告
此插件将其 KEK 以明文形式存储在配置文件中,该文件将存在于运行 barbican-api 或 barbican-worker 服务的任何节点上。应格外小心,以防止未经授权访问这些节点。在使用此插件时,KEK 是保护数据库中存储的密钥的唯一因素。
此插件在 /etc/barbican/barbican.conf 中的配置如下
# ================= Secret Store Plugin =================== [secretstore] .. enabled_secretstore_plugins = store_crypto # ================= Crypto plugin =================== [crypto] .. enabled_crypto_plugins = simple_crypto [simple_crypto_plugin] # the kek should be a 32-byte value which is base64 encoded kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='
注意
设置加密插件只有在 secretstore 插件设置为 store_crypto 时才有效,除非使用多后端存储。因此,例如,使用 vault 作为 secretstore,使用 PKCS#11 作为 crypto 将不起作用 (vault 将负责存储和加密)。
PKCS#11 加密插件¶
此加密插件可用于使用 PKCS#11 协议与硬件安全模块 (HSM) 接口。
密钥由项目特定的密钥加密密钥 (KEK) 加密(并在检索时解密),该 KEK 又使用主密钥 (MKEK) 加密并使用 HMAC 密钥签名。MKEK 和 HMAC 都驻留在 HSM 中。
此插件在 /etc/barbican/barbican.conf 中的配置。以下提供了针对某些不同 HSM 的设置
Thales Luna Network HSM¶
Luna Network HSM 的 PKCS#11 插件配置如下
[secretstore] enable_multiple_secret_stores = True stores_lookup_suffix = luna # ========== Secret Store configuration ========== [secretstore:luna] secret_store_plugin = store_crypto crypto_plugin = p11_crypto # ================= Crypto plugin =================== [p11_crypto_plugin] # Path to vendor PKCS11 library library_path = '/usr/lib/libCryptoki2_64.so' # Token serial number for the token to be used. Required # when the device has multiple tokens with the same label. # (string value) #token_serial_number = 12345678 # Token label for the token to be used. Required when # token_serial_number is not specified. (string value) token_labels = myPCKS11Token # (Optional) HSM Slot ID that contains the token device to be used. # Required when token_serial_number and token_labels are not specified. # (integer value) #slot_id = 0 # Password (PIN) to login to PKCS11 session login = 'mypassword' # Encryption algorithm used to encrypt secrets encryption_mechanism = CKM_AES_CBC_GCM # Label to identify master KEK in the HSM (must not be the same as HMAC label) mkek_label = 'my_mkek_label' # Label to identify master HMAC key in the HSM (must not be the same as MKEK label) hmac_label = 'my_hmac_label' # Key Type for the master HMAC key hmac_key_type = CKK_GENERIC_SECRET # HMAC Key Generation Algorithm used to create the master HMAC Key hmac_keygen_mechanism = CKM_GENERIC_SECRET_KEY_GEN # HMAC algorith used to sign ecnrypted data hmac_mechanism = CKM_SHA256_HMAC # Key Wrap algorithm used to wrap Project KEKs key_wrap_mechanism = CKM_AES_KEY_WRAP_KWP
HMAC 和 MKEK 密钥可以按如下方式生成
barbican-manage hsm gen_hmac --library-path /usr/lib/libCryptoki2_64.so \ --passphrase XXX --slot-id 1 --label my_hmac_labelbarbican-manage hsm gen_mkek --library-path /usr/lib/libCryptoki2_64.so \ --passphrase XXX --slot-id 1 --label my_mkek_label
nCipher¶
对于 nCipher nShield Connect XC,插件配置如下
# ================= Secret Store Plugin =================== [secretstore] .. enabled_secretstore_plugins = store_crypto # ================= Crypto plugin =================== [crypto] .. enabled_crypto_plugins = p11_crypto [p11_crypto_plugin] # Path to vendor PKCS11 library library_path = '/opt/nfast/toolkits/pkcs11/libcknfast.so' # Token serial number used to identify the token to be used. Required # when the device has multiple tokens with the same label. (string # value) token_serial_number = 12345678 # Token label used to identify the token to be used. Required when # token_serial_number is not specified. (string value) #token_label = <None> # Password to login to PKCS11 session login = 'XXX' # Label to identify master KEK in the HSM (must not be the same as HMAC label) mkek_label = 'thales_mkek_0' # Length in bytes of master KEK mkek_length = 32 # Label to identify HMAC key in the HSM (must not be the same as MKEK label) hmac_label = 'thales_hmac_0' # (Optional) HSM Slot ID that contains the token device to be used. # (integer value) # slot_id = 1 # Enable Read/Write session with the HSM? # rw_session = True # Length of Project KEKs to create # pkek_length = 32 # How long to cache unwrapped Project KEKs # pkek_cache_ttl = 900 # Max number of items in pkek cache # pkek_cache_limit = 100 # Secret encryption mechanism (string value) # Deprecated group/name - [p11_crypto_plugin]/algorithm encryption_mechanism = CKM_AES_CBC # HMAC Key Type (string value) hmac_key_type=CKK_SHA256_HMAC # HMAC Key Generation Mechanism (string value) hmac_keygen_mechanism = CKM_NC_SHA256_HMAC_KEY_GEN # Generate IVs for CKM_AES_GCM mechanism. (boolean value) # Deprecated group/name - [p11_crypto_plugin]/generate_iv aes_gcm_generate_iv=True # Always set CKA_SENSITIVE=CK_TRUE including # CKA_EXTRACTABLE=CK_TRUE keys. # default true always_set_cka_sensitive=false
HMAC 和 MKEK 密钥可以按如下方式生成
barbican-manage hsm gen_hmac \ --library-path /opt/nfast/toolkits/pkcs11/libcknfast.so \ --passphrase XXX --slot-id 1 --label thales_hmac_0 \ --key-type CKK_SHA256_HMAC \ --mechanism CKM_NC_SHA256_HMAC_KEY_GENbarbican-manage hsm gen_mkek \ --library-path /opt/nfast/toolkits/pkcs11/libcknfast.so \ --passphrase XXX --slot-id 1 --label thales_mkek_0
ATOS Bull¶
对于 ATOS Bull HSM,插件配置如下
# ================= Secret Store Plugin =================== [secretstore] .. enabled_secretstore_plugins = store_crypto # ================= Crypto plugin =================== [crypto] .. enabled_crypto_plugins = p11_crypto [p11_crypto_plugin] # Path to vendor PKCS11 library library_path = '/usr/lib64/libnethsm.so' # Token serial number used to identify the token to be used. Required # when the device has multiple tokens with the same label. (string # value) token_serial_number = 12345678 # Token label used to identify the token to be used. Required when # token_serial_number is not specified. (string value) #token_label = <None> # Password to login to PKCS11 session login = 'XXX' # Label to identify master KEK in the HSM (must not be the same as HMAC label) mkek_label = 'atos_mkek_0' # Length in bytes of master KEK mkek_length = 32 # Label to identify HMAC key in the HSM (must not be the same as MKEK label) hmac_label = 'atos_hmac_0' # (Optional) HSM Slot ID that contains the token device to be used. # (integer value) # slot_id = 1 # Enable Read/Write session with the HSM? # rw_session = True # Length of Project KEKs to create # pkek_length = 32 # How long to cache unwrapped Project KEKs # pkek_cache_ttl = 900 # Max number of items in pkek cache # pkek_cache_limit = 100 # Secret encryption mechanism (string value) # Deprecated group/name - [p11_crypto_plugin]/algorithm encryption_mechanism = CKM_AES_CBC # HMAC Key Type (string value) hmac_key_type = CKK_GENERIC_SECRET # HMAC Key Generation Mechanism (string value) hmac_keygen_mechanism = CKM_GENERIC_SECRET_KEY_GEN # Always set CKA_SENSITIVE=CK_TRUE including # CKA_EXTRACTABLE=CK_TRUE keys. # default true always_set_cka_sensitive=false
HMAC 和 MKEK 密钥可以按如下方式生成
barbican-manage hsm gen_hmac --library-path /usr/lib64/libnethsm.so \ --passphrase XXX --slot-id 1 --label atos_hmac_0 \ --key-type CKK_GENERIC_SECRET \ --mechanism CKM_GENERIC_SECRET_KEY_GENbarbican-manage hsm gen_mkek --library-path /usr/lib64/libnethsm.so \ --passphrase XXX --slot-id 1 --label atos_mkek_0
Utimaco¶
PKCS#11 插件配置如下
# ================= Secret Store Plugin =================== [secretstore] .. enabled_secretstore_plugins = store_crypto # ================= Crypto plugin =================== [crypto] .. enabled_crypto_plugins = p11_crypto [p11_crypto_plugin] # Path to vendor PKCS11 library (string value) library_path = '/opt/utimaco/lib/libcs_pkcs11_R2.so' # Token serial number used to identify the token to be used. Required # when the device has multiple tokens with the same label. (string # value) token_serial_number = 12345678 # Token label used to identify the token to be used. Required when # token_serial_number is not specified. (string value) #token_label = <None> # Password to login to PKCS11 session (string value) login = '$up3r$e<retP4ssw0rd' # Master KEK label (as stored in the HSM) (string value) mkek_label = 'my_mkek' # Master KEK length in bytes. (integer value) #mkek_length = 32 # Master HMAC Key label (as stored in the HSM) (string value) hmac_label = 'my_hmac_key' # (Optional) HSM Slot ID that contains the token device to be used. # (integer value) # slot_id = 1 # Flag for Read/Write Sessions (boolean value) #rw_session = true # Project KEK length in bytes. (integer value) #pkek_length = 32 # Project KEK Cache Time To Live, in seconds (integer value) #pkek_cache_ttl = 900 # Project KEK Cache Item Limit (integer value) #pkek_cache_limit = 100 # Secret encryption mechanism (string value) # Deprecated group/name - [p11_crypto_plugin]/algorithm encryption_mechanism = CKM_AES_CBC # HMAC Key Type (string value) #hmac_key_type = CKK_AES # HMAC Key Generation Algorithm (string value) #hmac_keygen_mechanism = CKM_AES_KEY_GEN # File to pull entropy for seeding RNG (string value) #seed_file = # Amount of data to read from file for seed (integer value) #seed_length = 32 # User friendly plugin name (string value) #plugin_name = PKCS11 HSM # Generate IVs for CKM_AES_GCM mechanism. (boolean value) # Deprecated group/name - [p11_crypto_plugin]/generate_iv #aes_gcm_generate_iv = true # HMAC key wrap mechanism hmac_keywrap_mechanism = CKM_AES_MAC
HMAC 和 MKEK 密钥可以按如下方式生成
barbican-manage hsm gen_mkek --library-path \ /opt/utimaco/lib/libcs_pkcs11_R2.so --passphrase XXX \ --slot-id 0 --label 'my_mkek'barbican-manage hsm gen_hmac --library-path \ /opt/utimaco/lib/libcs_pkcs11_R2.so --passphrase XXX \ --slot-id 0 --label 'my_hmac_key'
KMIP 插件¶
此密钥存储插件用于与 KMIP 设备通信。密钥直接安全地存储在 KMIP 设备中,而不是 Barbican 数据库中。Barbican 数据库维护对密钥位置的引用,以便以后检索。
该插件可以配置为使用用户名和密码,或使用客户端证书向 KMIP 设备进行身份验证。
此插件在 /etc/barbican/barbican.conf 中的配置如下
[secretstore] .. enabled_secretstore_plugins = kmip_plugin [kmip_plugin] username = 'admin' password = 'password' host = localhost port = 5696 keyfile = '/path/to/certs/cert.key' certfile = '/path/to/certs/cert.crt' ca_certs = '/path/to/certs/LocalCA.crt'
Dogtag 插件¶
Dogtag 是 Red Hat 证书系统的上游项目,这是一个强大、功能齐全的 PKI 解决方案,包含一个证书管理器 (CA) 和一个密钥恢复机构 (KRA),用于安全地存储密钥。
KRA 将密钥作为其内部数据库中的加密 blob 存储,主加密密钥存储在基于软件的 NSS 安全数据库中,或存储在硬件安全模块 (HSM) 中。
请注意,基于软件的 NSS 数据库配置为那些不需要或无法负担 HSM 的部署提供了一个安全选项。这是唯一提供此选项的当前插件。
KRA 使用 PKCS#11 与 HSM 通信。有关经过认证的 HSM 列表,请参阅最新的 发行说明。Dogtag 和 KRA 符合所有相关的通用标准和 FIPS 规范。
KRA 是 FreeIPA 的一个组件。因此,可以配置插件与 FreeIPA 服务器一起使用。有关如何设置 Barbican 与 FreeIPA 的更详细说明,请参见 此处。
该插件使用受信任 KRA 代理的客户端证书与 KRA 通信。该证书存储在 NSS 数据库以及 PEM 文件中,如下所示。
此插件在 /etc/barbican/barbican.conf 中的配置如下
[secretstore] .. enabled_secretstore_plugins = dogtag_crypto [dogtag_plugin] pem_path = '/etc/barbican/kra_admin_cert.pem' dogtag_host = localhost dogtag_port = 8443 nss_db_path = '/etc/barbican/alias' nss_password = 'password123'
Vault 插件¶
Vault 是 HashiCorp 的一个工具,用于安全地访问密钥和其他对象,例如 API 密钥、密码或证书。Vault 为任何密钥提供统一的接口,同时提供严格的访问控制并记录详细的审计日志。
该插件使用 Vault 令牌与 Vault 通信。
此插件在 /etc/barbican/barbican.conf 中的配置如下
[secretstore] .. enabled_secretstore_plugins = vault_plugin [vault_plugin] root_token_id = approle_role_id = approle_secret_id = kv_mountpoint = secret vault_url = https://127.0.0.1:8200 use_ssl = True ssl_ca_crt_file = /opt/vault/tls/tls-ca.crt
