Workload Encryption with Barbican

Learn about encrypting Trilio workloads with Barbican

Introduction

Integrating Trilio for OpenStack 4.2 with Barbican facilitates encryption support for the qcow2-data segment of Trilio backups. However, the JSON files housing the backed-up OpenStack metadata remain unencrypted.

This capability necessitates the presence of the OpenStack Barbican service. Absence of the Barbican service will result in the omission of encryption options for Workloads within the Horizon interface.

Trilio for OpenStack (T4O) 4.2 exclusively retrieves secrets from Barbican, without generating, modifying, or deleting any secrets within the Barbican platform.

Barbican secrets are indispensable for executing backups or restorations in encryption-enabled Workloads. The onus lies on the OpenStack project user to supply these secrets and guarantee their accurate availability.

In order to employ encrypted Workloads, the Trilio trustee role must be capable of interacting with the Barbican service to access and retrieve secrets from Barbican. By default, only the 'admin' and 'creator' roles are endowed with these permissions.

Encryption availability for a Workload is confined to the Workload creation stage. Post-creation, the encryption status of a Workload is irreversible; it cannot be altered or toggled.

Note : When leveraging OpenStack Barbican for protecting encrypted volumes and offering encrypted backups, it's essential that the Trustee Role is assigned as 'Creator' or a role that possesses equivalent permissions to the Creator role.

This is crucial because only the Creator role has the authority to create, read, and delete secrets within Barbican. The generation of encryption-enabled workloads would be unsuccessful if the Trustee Role does not possess the permissions associated with the 'Creator' role.

The following secret configurations are supported for AES-256

Mode(s)Content TypesPayload Content EncodingSecret TypePayload/Secret File

cbc, xts

text/plain

None

passphrase

plaintext

ctr, cbc, xts

application/octet-stream

base64

symmetric keys

encoded with base64

cbc, ctr, xts

text/plain

None

opaque

plaintext

By default Barbican will generate secrets of the following type:

  • Alghorithm: AES-256 (All supported types utilize this algorithm)

  • Mode: cbc

  • content type: application/octet-stream

  • payload-content-encoding: base64

  • secret type: opaque

  • payload: plaintext

Prerequisite

For encrypted workload Barbican should enabled on Openstack, then while configuring TVO-4.2, trustee role should be kept as creator .

Additionally every user who’ll be interacting with TrilioVault for any operator, should also have creator role assigned.

1. Secret creation

Secret can be created via OpenStack cli with following the below steps

  1. Source the rc file of the user who is going to create the encrypted workload.

  2. Create any supported type of secret and fetch the secret UUID using OpenStack secret cli.

    1. Refer to this guide for more information about managing Barbican secrets

    2. Below is the example of symmetric secret type creation & fetch the secret UUID.

      1. Generate a new 256-bit key using order create

()[root@overcloudtrain1-controller-0 /]# openstack secret order create --name secret2 --algorithm aes --mode ctr --bit-length 256 --payload-content-type=application/octet-stream key +----------------+-------------------------------------------------------------------------------------------+ | Field | Value | +----------------+-------------------------------------------------------------------------------------------+ | Order href | https://overcloudtrain1.trilio.local:13311/v1/orders/641bac2c-b5b2-4a7a-9172-8fe0cf55425d | | Type | Key | | Container href | N/A | | Secret href | None | | Created | None | | Status | None | | Error code | None | | Error message | None | +----------------+-------------------------------------------------------------------------------------------+

b. View the details of the order to identify the location of the generated key, shown here as the Secret href value: ()[root@overcloudtrain1-controller-0 /]# openstack secret order get https://overcloudtrain1.trilio.local:13311/v1/orders/641bac2c-b5b2-4a7a-9172-8fe0cf55425d +----------------+--------------------------------------------------------------------------------------------+ | Field | Value | +----------------+--------------------------------------------------------------------------------------------+ | Order href | https://overcloudtrain1.trilio.local:13311/v1/orders/641bac2c-b5b2-4a7a-9172-8fe0cf55425d | | Type | Key | | Container href | N/A | | Secret href | https://overcloudtrain1.trilio.local:13311/v1/secrets/f2c96fe2-6ae7-4985-b98c-e571ba05403c | | Created | 2023-07-12T11:38:17+00:00 | | Status | ACTIVE | | Error code | None | | Error message | None | +----------------+--------------------------------------------------------------------------------------------+

c. Fetch the secret UUID via below command (use Secret href)

()[root@overcloudtrain1-controller-0 /]# openstack secret get https://overcloudtrain1.trilio.local:13311/v1/secrets/f2c96fe2-6ae7-4985-b98c-e571ba05403c +---------------+--------------------------------------------------------------------------------------------+ | Field | Value | +---------------+--------------------------------------------------------------------------------------------+ | Secret href | https://overcloudtrain1.trilio.local:13311/v1/secrets/f2c96fe2-6ae7-4985-b98c-e571ba05403c | | Name | secret2 | | Created | 2023-07-12T11:38:17+00:00 | | Status | ACTIVE | | Content types | {'default': 'application/octet-stream'} | | Algorithm | aes | | Bit length | 256 | | Secret type | symmetric | | Mode | ctr | | Expiration | None | +---------------+--------------------------------------------------------------------------------------------+ ()[root@overcloudtrain1-controller-0 /]#

Note down the last value from Secret href URL which is UUID (8-4-4-4-12 format).

For example secret UUID for the Secret href URL https://overcloudtrain1.trilio.local:13311/v1/secrets/f2c96fe2-6ae7-4985-b98c-e571ba05403c will be f2c96fe2-6ae7-4985-b98c-e571ba05403c

This UUID will be used further for creating the encrypted workload.

2. Workload creation

  1. Login to openstack horizon dashboard with user who has created the secret & go to Project->Backup->workloads

  2. click on create workload.

  3. select the checkbox for Enable Encryption

  4. Provide the UUID noted in above steps in Secret UUID text box

  1. Follow the usual procedure for further tabs (Workload member, Schedule, policy & Option) & click on create.

  2. Workload will be created and value for Encryption field will be True.

Encrypted workload migration

For migration of encrypted workload please follow: Migrating Encrypted Workloads

Upgrade from older release to 4.2

For upgrade from older release to 4.2 please follow: Upgrade Trilio

For Trilio configuration please follow: Configuring Trilio

Last updated