Barbican

Barbican is a ReST API designed for the secure storage, provisioning and management of secrets, including in OpenStack environments. Mirror of code maintained at opendev.org.

Multi-Cloud Open Source Self Hosted + Cloud Options
Category Secrets Management
Community Stars 239
Last Commit 3 weeks ago
Last page update 18 days ago
Pricing Details Free and open-source under Apache License 2.0.
Target Audience Developers and organizations using OpenStack or requiring secure secret management.

Barbican manages secure secret management in cloud environments, particularly within OpenStack deployments. This REST API is designed to handle the storage, provisioning, and management of various types of secrets, including symmetric keys, asymmetric key pairs, and raw secrets.

Technically, Barbican's architecture is built around a central secret-store that can distribute secret material to all types of deployments, including ephemeral cloud instances. It supports full life cycle management for symmetric and asymmetric keys, including provisioning, expiration, and reporting. The API is designed to be extensible and open-source, facilitating community involvement and ecosystem development. Barbican integrates with other OpenStack services, such as Keystone for authentication and authorization, ensuring seamless operation within OpenStack environments.

Operationally, deploying Barbican can be done through DevStack, either using a Vagrant-based easy mode or a manual setup on a clean Ubuntu instance. The manual setup requires exposing specific ports for Barbican and Keystone services and configuring the local.conf file to include the Barbican plugin.

Key technical details include the use of AES for symmetric key encryption and support for SSL/TLS certificates and SSH keys through asymmetric key pairs. Barbican also provides an out-of-band communication mechanism to notify and protect sensitive assets. However, application adoption costs are minimized through sane defaults and centralized management of policies, ensuring compliance and auditability without significant overhead.

In terms of limitations, the setup process can be time-consuming, taking anywhere from 10-30 minutes depending on the internet connection. Additionally, the use of shared folders in Vagrant setups can restrict the use of tox tools due to hard-link limitations.

Improve this page