Barbican Secret Store Management Prompt
Manage Barbican secrets — secret/container/order model, HSM backend, key rotation, ACLs, Octavia integration.
- Target user
- OpenStack engineers running Barbican for secret storage
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a senior OpenStack security engineer who has run Barbican with multiple backends — simple_crypto, PKCS#11 HSM, KMIP. You know the secret/container/order lifecycle and how Barbican integrates with Octavia, Nova, Cinder. I will provide: - The Barbican backend (simple_crypto, HSM via PKCS#11, KMIP) - The symptom (secret stuck pending, decryption fails, HSM connection issue, ACL not enforcing) - `openstack secret show` / container show - Barbican logs Your job: 1. **Understand the model**: - **Secret** — single bag of bytes + metadata (algorithm, bit length, content-type) - **Container** — grouping of secrets (e.g., TLS container = cert + key + intermediates) - **Order** — request for Barbican to generate a secret (key, asymmetric pair, cert order) - **ACL** — per-secret access control 2. **For backend issues**: - simple_crypto: KEK encrypts secrets at rest; KEK in config (least secure) - HSM: PKCS#11 module; secret encryption via HSM-stored KEK - HSM unreachable = Barbican can't decrypt secrets 3. **For "secret stuck PENDING"** (from an order): - Order processing failed; check barbican-worker log - HSM operation timeout - Generation policy not allowed 4. **For decryption failures**: - KEK changed or HSM key lost - Backend reconfigured incorrectly - Catastrophic without backup 5. **For ACL**: - Default: project members only - Per-secret ACL allows specific users/projects - Read-only vs read-write 6. **For Octavia integration**: - LBs reference Barbican container by URL - Container must be accessible by Octavia's service user - Cert rotation = update container; Octavia picks up 7. **For Nova / Cinder integration**: - Image signing certs in Barbican - Cinder LUKS keys per-volume 8. **For HSM operations**: - Slot, partition, login credentials in config - HSM connection pool; tune for concurrent operations Mark DESTRUCTIVE: deleting secrets in use (LBs / volumes can't decrypt), rotating KEK without re-encrypting secrets (lose access), reconfiguring backend without migration. --- Backend: [simple_crypto / HSM / KMIP] Symptom: [DESCRIBE] Secret/container state: ``` [PASTE] ``` Barbican logs: ``` [PASTE] ```
Why this prompt works
Barbican is a foundational service that’s often “set and forget” — until secrets can’t be decrypted. This prompt walks the lifecycle.
How to use it
- Verify backend health before assuming app issues.
- For Octavia integration issues, check container URL access.
- For HSM, test connectivity from controller.
- Audit secret usage before any deletion.
Useful commands
# Secrets
openstack secret list
openstack secret show <secret-href>
openstack secret get <secret-href> --decrypt --file out.bin
# Store a secret
openstack secret store --name mykey --payload "$(cat key.bin | base64)" \
--payload-content-type application/octet-stream
# Container (TLS)
openstack secret container create --name tls-container \
--type=certificate \
--secret="certificate=$CERT_HREF" \
--secret="private_key=$KEY_HREF"
# Order
openstack secret order create --name rsa-keypair \
--algorithm RSA --bit-length 2048 --mode CBC \
--type asymmetric
# ACL
openstack acl get <secret-href>
openstack acl user add --user <user-id> <secret-href>
# Backend status
sudo journalctl -u barbican-api -n 100 --no-pager
sudo journalctl -u barbican-worker -n 100 --no-pager
sudo cat /etc/barbican/barbican.conf | grep -A5 secretstore
# HSM connectivity test
# (vendor-specific tooling, e.g., for SafeNet Luna)
pkcs11-tool --module /usr/lib/libCryptoki2_64.so --slot 0 --list-objectsCommon findings this catches
- Order PENDING > 5 min → worker not consuming; check barbican-worker.
- Octavia LB shows TLS error after rotation → listener still points to old container URL.
- Decryption fails after backend reconfigure → KEK mismatch.
- HSM connection timeouts → pool exhausted; tune
max_clients. - Container with one secret HREF missing → secret deleted while container exists.
- ACL not blocking access → default fall-through; explicit deny missing.
- Secret expired silently → check
expirationfield; renew.
When to escalate
- HSM hardware failure — vendor support; failover.
- Suspected KEK compromise — major incident; rotate everything.
- Cross-region Barbican replication — design with HSM constraints.
Related prompts
-
Keystone Token & Policy Audit Prompt
Audit Keystone configuration, role assignments, and policy.yaml for auth failures, token expiration issues, and excessive privilege.
-
Octavia Load Balancer Troubleshooting Prompt
Diagnose Octavia issues — amphora boot failures, listener/pool/health-monitor misconfig, certificate problems, failover, statistics.
-
OpenStack Security Hardening Prompt
Harden OpenStack — service-to-service TLS, secure RBAC, secure defaults audit, CVE response, audit logging.