Barbican is a secret management service. It is maintained as part of the
OpenStack virtual machine management software stack, but it can also be run
Running Barbican with SDKMS via PKCS#11
Barbican supports storing root secrets in an HSM using a PKCS#11 plugin.
This Docker image demonstrates storing the Master Key Encryption Key
and HMAC secret material in the Fortanix Self-Defending Key Management
System. The container can operate with a pre-existing MKEK and HMAC secret,
or it can generate a new MKEK and HMAC secret to operate with.
Controlling Container Behavior with Environment Variables
There are several environment variables that control the behavior
of the container.
|Variable Name||Default Value||Usage|
|FORTANIX_API_ENDPOINT||https://sdkms.fortanix.com||Controls what Fortanix SDKMS server to talk to. You will only need to override this setting if you are using an on-premise deployment of SDKMS and not the cloud edition.|
|FORTANIX_API_KEY||The API key to use to authenticate with SDKMS.|
|FORTANIX_MKEK_LABEL||If set, specifies the label of an existing AES key to use as the Barbican MKEK. If unset, the container will generate an AES key with a random label beginning with "barbican-mkek".|
|FORTANIX_HMAC_SECRET_LABEL||If set, specifies the label of an existing AES key to use as the Barbican HMAC secret. If unset, the container will generate an AES key to use as the HMAC secret with a random label beginning with "barbican-hmac".|
You can override environment variables when running a Docker container with
Passing through Ports to the Host
Barbican runs on port 9311. This port may be passed through to the
host via the -p 9311:9311 option to docker run.
Example: Running with MKEK and HMAC Secret Generated by Container
docker run --env FORTANIX_API_ENDPOINT=https://sdkms.fortanix.com \ --env FORTANIX_API_KEY=<your application API key> \ -p 9311:9311 fortanix/sdkms-barbican
Example: Running with a Pre-Existing MKEK and HMAC Secret
docker run --env FORTANIX_MKEK_LABEL=barbican-mkek \ --env FORTANIX_HMAC_SECRET_LABEL=barbican-hmac \ --env FORTANIX_API_ENDPOINT=https://sdkms.fortanix.com \ --env FORTANIX_API_KEY=<your application API key> \ -p 9311:9311 fortanix/sdkms-barbican