LogoLogo
T4O-4.3
T4O-4.3
  • About Trilio for OpenStack
  • Trilio for OpenStack Architecture
  • Trilio 4.3 Release Notes
    • T4O 4.3.0 (GA)
    • T4O 4.3.1
    • T4O 4.3.2
  • Deployment Guide
    • Compatibility Matrix
    • Requirements
    • Trilio network considerations
    • Preparing the installation
    • Spinning up the Trilio VM
    • Installing Trilio Components
      • Installing on RHOSP
      • Installing on Canonical OpenStack
      • Installing on Kolla Openstack
      • Installing on Ansible Openstack
      • Installing on TripleO Train
    • Configuring Trilio
    • Apply the Trilio license
    • Advanced Ceph configurations
      • Additions for multiple CEPH configurations
      • Additions for multiple Ceph users
    • Post Installation Health-Check
    • Uninstall Trilio
      • Uninstalling from RHOSP
      • Uninstalling from Canonical OpenStack
      • Uninstalling from Kolla OpenStack
      • Uninstalling from Ansible OpenStack
    • Upgrade Trilio
      • Upgrading on RHOSP
      • Upgrading on Canonical OpenStack
      • Upgrading on Kolla OpenStack
      • Upgrading on Ansible OpenStack
      • Upgrading on TripleO Train [CentOS7]
      • Upgrade Trilio Appliance
    • Upgrade OpenStack
      • TrilioVault Upgrade Upon RHOSP cloud Upgrade
    • Workload Encryption with Barbican
    • Multi-IP NFS Backup target mapping file configuration
    • Enabling T4O 4.1 or older backups when using NFS backup target
    • Install workloadmgr CLI client
    • Switch Backup Target on Kolla-ansible
    • Switch NFS Backing file
  • Trilio Appliance Administration Guide
    • Set Trilio GUI login banner
    • Trilio Appliance Dashboard
    • Set network accessibility of Trilio GUI
    • Reconfigure the Trilio Cluster
    • Change the Trilio GUI password
    • Reset the Trilio GUI password
    • Reinitialize Trilio
    • Download Trilio logs
    • Change Certificates used by Trilio
    • Restart Trilio Services
    • Shutdown/Restart the Trilio cluster
    • Clean up Trilio database
  • User Guide
    • Workloads
    • Snapshots
    • Restores
    • File Search
    • Snapshot Mount
    • Schedulers
    • E-Mail Notifications
  • Admin Guide
    • Backups-Admin Area
    • Workload Policies
    • Workload Quotas
    • Managing Trusts
    • Workload Import & Migration
    • Disaster Recovery
      • Example runbook for Disaster Recovery using NFS
    • Migrating encrypted Workloads
    • Rebasing existing workloads
  • Troubleshooting
    • Frequently Asked Questions
    • General Troubleshooting Tips
    • Using the workloadmgr CLI tool on the Trilio Appliance
    • Healthcheck of Trilio
    • Important log files
  • API GUIDE
    • Workloads
    • Snapshots
    • Restores
    • File Search
    • Snapshot Mount
    • Schedulers
    • E-Mail Notification Settings
    • Workload Policies
    • Workload Quotas
    • Managing Trusts
    • Workload Import and Migration
Powered by GitBook
On this page
  • Introduction
  • Prerequisite
  • 1. Secret creation
  • 2. Workload creation
  • Encrypted workload migration
  • Upgrade from older release to 4.2

Was this helpful?

Export as PDF
  1. Deployment Guide

Workload Encryption with Barbican

Learn about encrypting Trilio workloads with Barbican

Introduction

Integrating Trilio for OpenStack 4.2 with Barbican facilitates encryption support for the qcow2-data segment of Trilio backups. However, the JSON files housing the backed-up OpenStack metadata remain unencrypted.

This capability necessitates the presence of the OpenStack Barbican service. Absence of the Barbican service will result in the omission of encryption options for Workloads within the Horizon interface.

Trilio for OpenStack (T4O) 4.2 exclusively retrieves secrets from Barbican, without generating, modifying, or deleting any secrets within the Barbican platform.

Barbican secrets are indispensable for executing backups or restorations in encryption-enabled Workloads. The onus lies on the OpenStack project user to supply these secrets and guarantee their accurate availability.

In order to employ encrypted Workloads, the Trilio trustee role must be capable of interacting with the Barbican service to access and retrieve secrets from Barbican. By default, only the 'admin' and 'creator' roles are endowed with these permissions.

Encryption availability for a Workload is confined to the Workload creation stage. Post-creation, the encryption status of a Workload is irreversible; it cannot be altered or toggled.

Note : When leveraging OpenStack Barbican for protecting encrypted volumes and offering encrypted backups, it's essential that the Trustee Role is assigned as 'Creator' or a role that possesses equivalent permissions to the Creator role.

This is crucial because only the Creator role has the authority to create, read, and delete secrets within Barbican. The generation of encryption-enabled workloads would be unsuccessful if the Trustee Role does not possess the permissions associated with the 'Creator' role.

The following secret configurations are supported for AES-256

Mode(s)
Content Types
Payload Content Encoding
Secret Type
Payload/Secret File

cbc, xts

text/plain

None

passphrase

plaintext

ctr, cbc, xts

application/octet-stream

base64

symmetric keys

encoded with base64

cbc, ctr, xts

text/plain

None

opaque

plaintext

By default Barbican will generate secrets of the following type:

  • Alghorithm: AES-256 (All supported types utilize this algorithm)

  • Mode: cbc

  • content type: application/octet-stream

  • payload-content-encoding: base64

  • secret type: opaque

  • payload: plaintext

Prerequisite

For encrypted workload Barbican should enabled on Openstack, then while configuring TVO-4.2, trustee role should be kept as creator .

Additionally every user who’ll be interacting with TrilioVault for any operator, should also have creator role assigned.

1. Secret creation

Secret can be created via OpenStack cli with following the below steps

  1. Source the rc file of the user who is going to create the encrypted workload.

  2. Create any supported type of secret and fetch the secret UUID using OpenStack secret cli.

    1. Below is the example of symmetric secret type creation & fetch the secret UUID.

      1. Generate a new 256-bit key using order create

()[root@overcloudtrain1-controller-0 /]# openstack secret order create --name secret2 --algorithm aes --mode ctr --bit-length 256 --payload-content-type=application/octet-stream key +----------------+-------------------------------------------------------------------------------------------+ | Field | Value | +----------------+-------------------------------------------------------------------------------------------+ | Order href | https://overcloudtrain1.trilio.local:13311/v1/orders/641bac2c-b5b2-4a7a-9172-8fe0cf55425d | | Type | Key | | Container href | N/A | | Secret href | None | | Created | None | | Status | None | | Error code | None | | Error message | None | +----------------+-------------------------------------------------------------------------------------------+

b. View the details of the order to identify the location of the generated key, shown here as the Secret href value: ()[root@overcloudtrain1-controller-0 /]# openstack secret order get https://overcloudtrain1.trilio.local:13311/v1/orders/641bac2c-b5b2-4a7a-9172-8fe0cf55425d +----------------+--------------------------------------------------------------------------------------------+ | Field | Value | +----------------+--------------------------------------------------------------------------------------------+ | Order href | https://overcloudtrain1.trilio.local:13311/v1/orders/641bac2c-b5b2-4a7a-9172-8fe0cf55425d | | Type | Key | | Container href | N/A | | Secret href | https://overcloudtrain1.trilio.local:13311/v1/secrets/f2c96fe2-6ae7-4985-b98c-e571ba05403c | | Created | 2023-07-12T11:38:17+00:00 | | Status | ACTIVE | | Error code | None | | Error message | None | +----------------+--------------------------------------------------------------------------------------------+

c. Fetch the secret UUID via below command (use Secret href)

()[root@overcloudtrain1-controller-0 /]# openstack secret get https://overcloudtrain1.trilio.local:13311/v1/secrets/f2c96fe2-6ae7-4985-b98c-e571ba05403c +---------------+--------------------------------------------------------------------------------------------+ | Field | Value | +---------------+--------------------------------------------------------------------------------------------+ | Secret href | https://overcloudtrain1.trilio.local:13311/v1/secrets/f2c96fe2-6ae7-4985-b98c-e571ba05403c | | Name | secret2 | | Created | 2023-07-12T11:38:17+00:00 | | Status | ACTIVE | | Content types | {'default': 'application/octet-stream'} | | Algorithm | aes | | Bit length | 256 | | Secret type | symmetric | | Mode | ctr | | Expiration | None | +---------------+--------------------------------------------------------------------------------------------+ ()[root@overcloudtrain1-controller-0 /]#

Note down the last value from Secret href URL which is UUID (8-4-4-4-12 format).

For example secret UUID for the Secret href URL https://overcloudtrain1.trilio.local:13311/v1/secrets/f2c96fe2-6ae7-4985-b98c-e571ba05403c will be f2c96fe2-6ae7-4985-b98c-e571ba05403c

This UUID will be used further for creating the encrypted workload.

2. Workload creation

  1. Login to openstack horizon dashboard with user who has created the secret & go to Project->Backup->workloads

  2. click on create workload.

  3. select the checkbox for Enable Encryption

  4. Provide the UUID noted in above steps in Secret UUID text box

  1. Follow the usual procedure for further tabs (Workload member, Schedule, policy & Option) & click on create.

  2. Workload will be created and value for Encryption field will be True.

Encrypted workload migration

Upgrade from older release to 4.2

PreviousTrilioVault Upgrade Upon RHOSP cloud UpgradeNextMulti-IP NFS Backup target mapping file configuration

Last updated 1 year ago

Was this helpful?

Refer to this guide for more information about

For migration of encrypted workload please follow:

For upgrade from older release to 4.2 please follow:

For Trilio configuration please follow:

managing Barbican secrets
Migrating Encrypted Workloads
Upgrade Trilio
Configuring Trilio
Create Workload
Workloads