当前版本发布说明¶

20.0.0-14¶

The [p11_crypto_plugin] algorithm option, which is effectively a deprecated alias of the [p11_crypto_plugin] encryption_mechanism option, has been removed.

Added a new subcommand to barbican-manage:

barbican-manage simple_crypto new_pkek --project $PROJECT_ID

This new command creates a new Project-specific Key-encryption-key (pKEK) for the specified project. New secrets created in that project will be encrypted with this new pKEK. Existing secrets are not modified by this command.

Added a new subcommand to barbican-manage:

barbican-manage simple_crypto rewrap_secrets --project $PROJECT_ID

This new command re-encrypts all secrets using the latest active Project- specific Key-encryption-key (pKEK) for the specified project. This enables administrator to rotate pKEKs so that old pKEKs can be safely deleted from the database.

Key-encryption-key rotation has been implemented for for the Simple Crypto plugin backend. A new symmetric Fernet key can be created and added to the configuration file at any time. The kek option in the [simple_crypto_plugin] section can now be specified multiple times. When more than one KEK is configured, the first key is used to encrypt new project-specific keys (pKEKs) and the rest of the keys are only used to decrypt existing data.

A new sub-command has been added to barbican-manage to re-encrypt existing pKEKs using the first kek in the config file. This command can be executed to ensure that all pKEKs in the database are re-encrypted with a specific key.

To fully rotate an existing KEK, you can now generate a new KEK to replace ane existing key. You can add the new key as the first kek in the configuration file, and keep the existing key as the second kek. Then you can execute barbican-manage simple_crypto rewrap_pkek to re-encrypt all existing pKEKs with the new key. After the command executes, you can remove any previous keys from the config file.