Barbican and Volume Encryption

Setting up Barbican to authenticate with Keystone

Of course, the raison d’etre of Barbican is to interact with Openstack.
At this point, if you’ve been following along, you should have a
Barbican instance running on port 9312, with requests to the Barbican
endpoint of https://hostname:9311 proxied by haproxy. The Barbican
instance is configured to interact with the Dogtag CA and KRA on the
back-end, possibly in an IPA instance deployed in a container.

Now its time to add the rest of Openstack. For simplicity, I’m just
going to use Packstack here. On the Openstack controller, then:

sudo yum install -y openstack-packstack 
packstack --allinone

Next, we’re going to add the required users, services and endpoints
for Barbican to keystone. Note, of course, that we are using the
HTTPS endpoint for Barbican.::

 source /root/keystonerc_admin 
 openstack user create --password=orange \ barbican 
 openstack role add --user=barbican --project=services admin 
 openstack service create --name=barbican \
   --description="Barbican Key Management Service" key-manager 
 openstack endpoint create --region RegionOne \
   --publicurl https://`hostname`:9311 \
   --internalurl https://`hostname`:9311 barbican

Finally, we need to set up Barbican to use Keystone as an authorization
source. Currently, we use the unauthenticated authz plugin which essentially just passes every request through.

crudini --set /etc/barbican/barbican-api-paste.ini \
  pipeline:barbican_api \
  pipeline "keystone_authtoken context apiapp" 
crudini --set /etc/barbican/barbican-api-paste.ini \
  filter:keystone_authtoken \
  identity_uri "http://`hostname`:35357" 
crudini --set /etc/barbican/barbican-api-paste.ini \
  filter:keystone_authtoken \
  admin_tenant_name services  
systemctl restart openstack-barbican-api.service

Setting up Cinder Volume Encryption Using Barbican

Cinder and Nova have integrated with Barbican to do volume encryption
in no small part due to the valiant efforts of the folks at Johns Hopkins
Applied Physics lab. The relevant blueprints are here [link].

I put together a short video on how the volume encryption works and
how to test it (encrypted_volumes_video).

Lets set it up.

1. Configure nova to use Barbican as a KeyManager.::

crudini --set /etc/nova/nova.conf keymgr \
  api_class "nova.keymgr.barbican.BarbicanKeyManager" 
crudini --set /etc/nova/nova.conf keymgr \
  encryption_auth_url "http://`hostname`:5000/v3" 
crudini --set /etc/nova/nova.conf barbican \
  catalog_info "key-manager:barbican:public" 
crudini --set /etc/nova/nova.conf barbican \
  endpoint_template "https://`hostname`:9311/v1" 
crudini --set /etc/nova/nova.conf barbican \
  os_region_name "RegionOne" 
systemctl restart openstack-nova-api.service

2. Configure cinder to use Barbican as a KeyManager. ::

crudini --set /etc/cinder/cinder.conf keymgr \
  api_class cinder.keymgr.barbican.BarbicanKeyManager 
crudini --set /etc/cinder/cinder.conf keymgr \
  encryption_auth_url "http://`hostname`:5000/v3" 
crudini --set /etc/cinder/cinder.conf keymgr \
  encryption_api_url "https://`hostname`:9311/v1" 
systemctl restart openstack-cinder-api.service

Testing Cinder Volume Encryption using Barbican

The video shows you how to set things up using the Horizon Web UI.
Lets see how to set this using CLIs.

1. Create a cinder volume encryption type. Right now the Openstack
client does not allow you to create encryption types, so we’ll
fall back to the cinder CLI. This operation needs to be done
as an admin user. ::

source /root/keystone_adminrc 
openstack volume type create LUKS 
cinder encryption-type-create --cipher aes-xts-plain64 \
  --key_size 512 --control_location front-end \
  LUKS nova.volume.encryptors.luks.LuksEncryptor

2. Create a volume with the encryption type. When this step is
performed, a symmetric encryption key should be generated by Barbican
and the reference to that encryption key should be stored in the
cinder metadata. You should be able to see this happening by tailing
the journal for the Barbican service. ::

openstack volume create --size 1 --type LUKS \
  --image cirros encrypted_volume

3. Create a compute VM.::

NET_ID=`openstack network list |awk '/ public / {print $2}'` 
openstack server create --flavor m1.tiny \
  --image cirros --nic "net-id=${NET_ID}" vm-test

4. Attach the volume to the VM. At this point, the hypervisor should
retrieve the encryption key from Barbican – and the volume should
be decrypted and attached. Again, the key retrieval should be visible
on the Barbican journal. ::

openstack server add volume --device /dev/vdc \
  testvm encrypted_volume

10 thoughts on “Barbican and Volume Encryption

  1. When attaching an encrypted volume I get “ValueError: keymgr.fixed_key not defined” error – had to add fixed_key entry in /etc/nova/nova.conf to make it work.

    Also ,please confirm if the fixed_key should be configured in cinder.conf since does instruct to manage this .
    In devstack setup for barbican the fixed_key in cinder.conf is missing and shows up only in nova.conf .

    Thanks .


  2. Also , after some period of time it’s not possible neither create a new volume nor delete an existing one. I get the following error:

    [root@aiob2 ~(keystone_admin)]# cinder delete 412c5e8d-db1c-4a85-818d-618b690a7ed7
    Delete for volume 412c5e8d-db1c-4a85-818d-618b690a7ed7 failed: Volume cannot be deleted while in attached state (HTTP 400) (Request-ID: req-f9f4b41d-3164-43dd-9620-4f5822f1bdfc)
    ERROR: Unable to delete any of the specified volumes.

    Exactly the same problem takes place in the Barbican deployed by devstack .


    1. Thats one of the nice things about the design of this feature. All of the work in creating and retrieving the encryption keys for the volume are done by cinder and nova in the background.

      From the point of view of the VM, the encrypted volume looks just like any other volume. And from the point of view of the tools (UI or CLI), the volumes are displayed and managed exactly the same way as unencrypted volumes.

      Check out the video ( in which I use the UI to attach the volume to a nova instance.


  3. Hey, I am unable to create bootable encrypted volume as u did in your video. I am using Devstack and able to make unbootable encryptable volume and the c-vol does not have the error log why is it unable to create bootable encryptable volume. just the horizon dashboard gives Unable to create volume


      1. cinder create –image cirros-0.3.4-x86_64-uec –name pravin –volume-type LUKS 2

        ERROR: Invalid input received: Create encrypted volumes with type 5d7e0fc1-5ac5-42d5-93b4-ea821b70dcd4 from image 0c2b394f-d44b-425c-87b1-3d90288bbf17 is not supported. (HTTP 400) (Request-ID: req-6137b4f9-d472-4123-9aae-cae3b3fd004d)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s