Add Crypto/HSM MKEK Rotation Support (Lightweight)

Registered by John Wood

Currently Barbican has no means to migrate secrets encrypted with a crypto/HSM-style plugin to a new master key encryption key (MKEK) and its associated wrapped project KEKs. This blueprint proposes adding a new Barbican service process that supports completing the rotation process by re-wrapping the project KEKs with the new MKEK. Note that unlike the similarly-named blueprint at, this blueprint does *not* call for re-encrypting secrets and is therefore this blueprint is a 'lightweight' alternative to that blueprint. Comparing the two approaches, this lightweight one should process more quickly when there are many secrets with numerous project-IDs stored in the database. The downside to the lightweight approach is that if the old MKEK was compromised *and* the attacker has access to backup versions of the database, they could decrypt current secrets since they could then decrypt the unchanged project KEK used to encrypt the secret, and because the encrypted secret data is unchanged and so can be decrypted by the now-unwrapped project KEK. Similar to the other blueprint, this process would be started after deployers, out of band: (1) generate new MKEK and HMAC signing keys with a binding to new labels, and then (2) replicate these keys to other HSMs that may be in the high availability (HA) group, and then (3) update Barbican's config file to reference these new labels, and finally (4) restart the Barbican nodes. The proposed process would then re-wrap the project KEKs with the new MKEKs, updating the associated project KEK records with the new wrapped project KEKs.

Blueprint information

Douglas Mendizábal
John Wood
John Vrbanac
Series goal:
Accepted for liberty
Milestone target:
milestone icon 1.0.0
Started by
Douglas Mendizábal
Completed by
Thierry Carrez

Related branches



Was this ever implemented?


Work Items

This blueprint contains Public information 
Everyone can see this information.