Current Series Release Notes¶
19.0.0-19¶
New Features¶
Key-encryption-key rotation has been implemented for for the Simple Crypto plugin backend. A new symmetric Fernet key can be created and added to the configuration file at any time. The kek option in the [simple_crypto_plugin] section can now be specified multiple times. When more than one KEK is configured, the first key is used to encrypt new project-specific keys (pKEKs) and the rest of the keys are only used to decrypt existing data.
A new sub-command has been added to barbican-manage to re-encrypt existing pKEKs using the first kek in the config file. This command can be executed to ensure that all pKEKs in the database are re-encrypted with a specific key.
To fully rotate an existing KEK, you can now generate a new KEK to replace ane existing key. You can add the new key as the first kek in the configuration file, and keep the existing key as the second kek. Then you can execute barbican-manage simple_crypto rewrap_pkek to re-encrypt all existing pKEKs with the new key. After the command executes, you can remove any previous keys from the config file.
Upgrade Notes¶
Support for Python 3.8 has been removed. Now the minimum python version supported is 3.9 .
Deprecation Notes¶
The [p11_crypto_plugin]hmac_keywrap_mechanism option has been replaced by [p11_crypto_plugin]hmac_mechanism. This option was renamed to avoid confusion since this mechanism is only used to sign encrypted data and never used for key wrap encryption.
Security Issues¶
The PKCS#11 backend driver has been updated to support newer Key Wrap mechanisms. New deployments should use CKM_AES_KEY_WRAP_KWP, but CKM_AES_KEY_WRAP_PAD and CKM_AES_CBC_PAD are also supported for compatibility with older devices that have not yet implemented PKCS#11 Version 3.0.
The configuration for Simple Crypto Plugin has been updated to allow more than one Key-Encryption-Key (KEK) to be defined. This enables the ability to rotate in new KEKs on demand. If there is more than one KEK specified in the config file, then the first KEK is considered “active”, which means it will be used to encrypt any new Project-specific KEKs. Any additional KEKs will only be used to decrypt existing pKEKs when necessary. .e.g.
[simple_crypto_plugin] # First key is used for ecnrypting new data kek = Yl1EKQ5e4VpK3X7lbWF249GDsk0mrL929P-Mnnz-bdc= # Additionak keys used for decrypting existing data kek = AfXmy1NEfzmtJEYVGrQJ0C2-dr8S0lFoNBX5Vb7MC44= kek = Ua4Y8ryfamShYT_TzxSjok9Tl11OWFSk3whOSY-TIaw=
Bug Fixes¶
Fixed Bug #2036506 - This patch replaces the hard-coded CKM_AES_CBC_PAD mechanism used to wrap pKEKs with an option to configure this mechanism. Two new options have been added to the [p11_crypto_plugin] section of the configuration file: key_wrap_mechanism and key_wrap_generate_iv. These options default to CKM_AES_CBC_PAD and True respectively to preserve backwards compatibility.
