Workload Encryption with Barbican
Learn about encrypting Trilio workloads with Barbican
Introduction
Integrating Trilio for OpenStack 4.2 with Barbican facilitates encryption support for the qcow2-data segment of Trilio backups. However, the JSON files housing the backed-up OpenStack metadata remain unencrypted.
This capability necessitates the presence of the OpenStack Barbican service. Absence of the Barbican service will result in the omission of encryption options for Workloads within the Horizon interface.
Trilio for OpenStack (T4O) 4.2 exclusively retrieves secrets from Barbican, without generating, modifying, or deleting any secrets within the Barbican platform.
Barbican secrets are indispensable for executing backups or restorations in encryption-enabled Workloads. The onus lies on the OpenStack project user to supply these secrets and guarantee their accurate availability.
In order to employ encrypted Workloads, the Trilio trustee role must be capable of interacting with the Barbican service to access and retrieve secrets from Barbican. By default, only the 'admin' and 'creator' roles are endowed with these permissions.
Encryption availability for a Workload is confined to the Workload creation stage. Post-creation, the encryption status of a Workload is irreversible; it cannot be altered or toggled.
Note : When leveraging OpenStack Barbican for protecting encrypted volumes and offering encrypted backups, it's essential that the Trustee Role is assigned as 'Creator' or a role that possesses equivalent permissions to the Creator role.
This is crucial because only the Creator role has the authority to create, read, and delete secrets within Barbican. The generation of encryption-enabled workloads would be unsuccessful if the Trustee Role does not possess the permissions associated with the 'Creator' role.
The following secret configurations are supported for AES-256
Mode(s) | Content Types | Payload Content Encoding | Secret Type | Payload/Secret File |
---|---|---|---|---|
cbc, xts | text/plain | None | passphrase | plaintext |
ctr, cbc, xts | application/octet-stream | base64 | symmetric keys | encoded with base64 |
cbc, ctr, xts | text/plain | None | opaque | plaintext |
By default Barbican will generate secrets of the following type:
Alghorithm: AES-256 (All supported types utilize this algorithm)
Mode: cbc
content type: application/octet-stream
payload-content-encoding: base64
secret type: opaque
payload: plaintext
Prerequisite
For encrypted workload Barbican should enabled on Openstack, then while configuring TVO-4.2, trustee role should be kept as creator .
Additionally every user who’ll be interacting with TrilioVault for any operator, should also have creator role assigned.
1. Secret creation
Secret can be created via OpenStack cli with following the below steps
Source the rc file of the user who is going to create the encrypted workload.
Create any supported type of secret and fetch the secret UUID using OpenStack secret cli.
Refer to this guide for more information about managing Barbican secrets
Below is the example of symmetric secret type creation & fetch the secret UUID.
Generate a new 256-bit key using
order create
()[root@overcloudtrain1-controller-0 /]# openstack secret order create --name secret2 --algorithm aes --mode ctr --bit-length 256 --payload-content-type=application/octet-stream key
+----------------+-------------------------------------------------------------------------------------------+
| Field | Value |
+----------------+-------------------------------------------------------------------------------------------+
| Order href | https://overcloudtrain1.trilio.local:13311/v1/orders/641bac2c-b5b2-4a7a-9172-8fe0cf55425d |
| Type | Key |
| Container href | N/A |
| Secret href | None |
| Created | None |
| Status | None |
| Error code | None |
| Error message | None |
+----------------+-------------------------------------------------------------------------------------------+
b. View the details of the order to identify the location of the generated key, shown here as the Secret href
value:
()[root@overcloudtrain1-controller-0 /]# openstack secret order get https://overcloudtrain1.trilio.local:13311/v1/orders/641bac2c-b5b2-4a7a-9172-8fe0cf55425d
+----------------+--------------------------------------------------------------------------------------------+
| Field | Value |
+----------------+--------------------------------------------------------------------------------------------+
| Order href | https://overcloudtrain1.trilio.local:13311/v1/orders/641bac2c-b5b2-4a7a-9172-8fe0cf55425d |
| Type | Key |
| Container href | N/A |
| Secret href | https://overcloudtrain1.trilio.local:13311/v1/secrets/f2c96fe2-6ae7-4985-b98c-e571ba05403c |
| Created | 2023-07-12T11:38:17+00:00 |
| Status | ACTIVE |
| Error code | None |
| Error message | None |
+----------------+--------------------------------------------------------------------------------------------+
c. Fetch the secret UUID via below command (use Secret href
)
()[root@overcloudtrain1-controller-0 /]# openstack secret get https://overcloudtrain1.trilio.local:13311/v1/secrets/f2c96fe2-6ae7-4985-b98c-e571ba05403c
+---------------+--------------------------------------------------------------------------------------------+
| Field | Value |
+---------------+--------------------------------------------------------------------------------------------+
| Secret href | https://overcloudtrain1.trilio.local:13311/v1/secrets/f2c96fe2-6ae7-4985-b98c-e571ba05403c |
| Name | secret2 |
| Created | 2023-07-12T11:38:17+00:00 |
| Status | ACTIVE |
| Content types | {'default': 'application/octet-stream'} |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | symmetric |
| Mode | ctr |
| Expiration | None |
+---------------+--------------------------------------------------------------------------------------------+
()[root@overcloudtrain1-controller-0 /]#
Note down the last value from Secret href
URL which is UUID (8-4-4-4-12 format).
For example secret UUID for the Secret href
URL https://overcloudtrain1.trilio.local:13311/v1/secrets/f2c96fe2-6ae7-4985-b98c-e571ba05403c
will be f2c96fe2-6ae7-4985-b98c-e571ba05403c
This UUID will be used further for creating the encrypted workload.
2. Workload creation
Login to openstack horizon dashboard with user who has created the secret & go to Project->Backup->workloads
click on create workload.
select the checkbox for Enable Encryption
Provide the UUID noted in above steps in Secret UUID text box
Follow the usual procedure for further tabs (Workload member, Schedule, policy & Option) & click on create.
Workload will be created and value for Encryption field will be True.
Encrypted workload migration
For migration of encrypted workload please follow: Migrating Encrypted Workloads
Upgrade from older release to 4.2
For upgrade from older release to 4.2 please follow: Upgrade Trilio
For Trilio configuration please follow: Configuring Trilio
Last updated