Public Repository

Last pushed: 2 months ago
Short Description
Image for running OpenStack Barbican key management server using Fortanix SDKMS to secure the keys.
Full Description

Barbican

Barbican is a secret management service. It is maintained as part of the
OpenStack virtual machine management software stack, but it can also be run
without OpenStack.

Running Barbican with SDKMS via PKCS#11

Barbican supports storing root secrets in an HSM using a PKCS#11 plugin.
This Docker image demonstrates storing the Master Key Encryption Key
and HMAC secret material in the Fortanix Self-Defending Key Management
System. The container can operate with a pre-existing MKEK and HMAC secret,
or it can generate a new MKEK and HMAC secret to operate with.

Controlling Container Behavior with Environment Variables

There are several environment variables that control the behavior
of the container.

Variable Name Default Value Usage
FORTANIX_API_ENDPOINT https://sdkms.fortanix.com Controls what Fortanix SDKMS server to talk to. You will only need to override this setting if you are using an on-premise deployment of SDKMS and not the cloud edition.
FORTANIX_API_KEY The API key to use to authenticate with SDKMS.
FORTANIX_MKEK_LABEL If set, specifies the label of an existing AES key to use as the Barbican MKEK. If unset, the container will generate an AES key with a random label beginning with "barbican-mkek".
FORTANIX_HMAC_SECRET_LABEL If set, specifies the label of an existing AES key to use as the Barbican HMAC secret. If unset, the container will generate an AES key to use as the HMAC secret with a random label beginning with "barbican-hmac".

You can override environment variables when running a Docker container with
docker run.

Passing through Ports to the Host

Barbican runs on port 9311. This port may be passed through to the
host via the -p 9311:9311 option to docker run.

Example: Running with MKEK and HMAC Secret Generated by Container

docker run --env FORTANIX_API_ENDPOINT=https://sdkms.fortanix.com \
    --env FORTANIX_API_KEY=<your application API key> \
    -p 9311:9311 fortanix/sdkms-barbican

Example: Running with a Pre-Existing MKEK and HMAC Secret

docker run --env FORTANIX_MKEK_LABEL=barbican-mkek \
    --env FORTANIX_HMAC_SECRET_LABEL=barbican-hmac \
    --env FORTANIX_API_ENDPOINT=https://sdkms.fortanix.com \
    --env FORTANIX_API_KEY=<your application API key> \
    -p 9311:9311 fortanix/sdkms-barbican
Docker Pull Command
Owner
fortanix

Comments (0)