Secrets
Overview
firstcolo Cloud uses the OpenStack component Barbican for secret storage. We introduced the Barbican secret storage first of all to provide a safe way to store SSL certificates and private keys for Octavia Load balancer as a Service.
The barbican secret storage is part of our global region. This means, similar to Keystone (Identity and Access) and Designate (DNSaaS), there is one API for all regions.
| Barbican feature | Supported |
|---|---|
| Secret storage and metadata | Yes |
| Containers | Yes |
| Consumers | Yes |
| Access control lists | Yes |
| Certificate orders | No |
Secret storage and metadata
All secrets are transferred and stored fully encrypted at all times. Metadata may not be stored fully encrypted.
Containers
Containers represent a set of secrets, for a certain purpose.
Containers can be of type generic, RSA, or Certificate.
| Type | Accompanied secret names |
|---|---|
| Generic | No restrictions |
| RSA | public_key, private_key, and private_key_passphrase |
| Certificate | certificate and optionally private_key, private_key_passphrase, and intermediates |
Consumers
Barbican can be used to persist a list of consumers for any given container. The consumer consists of a consumer name, a URL and a reference to the container.
Access control lists
By default, secrets and containers are accessible for all users of a project (See the identity and access reference guide for more information about users, groups and projects). Using access control lists, you can reduce access to certain users or groups.