Skip to content

Barbican (Encryption/Secrets)

Barbican is mainlly used to provide TLS termination, see an example here but you can also interact with it for other purposes.

You need the Barbican CLI :

Ubuntu - Debian 

sudo apt install python3-barbicanclient

Centos - Red hat 

sudo yum install python3-barbicanclient

Create a secret

taylor@laptop:~$ openstack secret store --name 'mysecret' --payload 'This is my secret ! chuuuut'
+---------------+-------------------------------------------------------------------------------------------------+
| Field         | Value                                                                                           |
+---------------+-------------------------------------------------------------------------------------------------+
| Secret href   | https://pub1-api.cloud.infomaniak.ch/keymanager/v1/secrets/61d05c6b-403e-41be-9421-d94b3ba140a5 |
| Name          | mysecret                                                                                        |
| Created       | None                                                                                            |
| Status        | None                                                                                            |
| Content types | None                                                                                            |
| Algorithm     | aes                                                                                             |
| Bit length    | 256                                                                                             |
| Secret type   | opaque                                                                                          |
| Mode          | cbc                                                                                             |
| Expiration    | None                                                                                            |
+---------------+-------------------------------------------------------------------------------------------------+

List secrets

taylor@laptop:~$ openstack secret list --fit-width
+------------------------------------------+----------+---------------------------+--------+---------------------------+-----------+------------+-------------+------+------------+
| Secret href                              | Name     | Created                   | Status | Content types             | Algorithm | Bit length | Secret type | Mode | Expiration |
+------------------------------------------+----------+---------------------------+--------+---------------------------+-----------+------------+-------------+------+------------+
| https://pub1-api.cloud.infomaniak.ch/key | mysecret | 2021-03-17T12:20:38+00:00 | ACTIVE | {'default': 'text/plain'} | aes       |        256 | opaque      | cbc  | None       |
| manager/v1/secrets/61d05c6b-403e-41be-94 |          |                           |        |                           |           |            |             |      |            |
| 21-d94b3ba140a5                          |          |                           |        |                           |           |            |             |      |            |
+------------------------------------------+----------+---------------------------+--------+---------------------------+-----------+------------+-------------+------+------------+

Decrypt a secret

You need to pass the Secret href ID which is in the first column in the previous output

taylor@laptop:~$ openstack secret get 61d05c6b-403e-41be-9421-d94b3ba140a5 --decrypt
+---------+-----------------------------+
| Field   | Value                       |
+---------+-----------------------------+
| Payload | This is my secret ! chuuuut |
+---------+-----------------------------+