What is the Nectar Key Manager Service? (KMS)

The Nectar KMS is provided by the Openstack Service Barbican. It provides secure storage, provisioning and management of secret data.  This includes keying material such as Symmetric Keys, Asymmetric Keys, Certificates and raw binary data.

The advantage of using a KMS in Nectar is that it avoids the need for storing application secrets in (unencrypted) files in the file systems of your instances.  If someone manages to gain unauthorized (root) access to your Nectar instance, they are likely to search the file system to look for secret keys.  If you use a KMS, they won't find them there.

The Nectar KMS is also used by the following Nectar services to store secrets on your behalf.

Volume service

When you create an encrypted volume using the Nectar Volume Storage service, an encryption key is created on your behalf and stored in the KMS.  

Warning: if you delete a volume's encryption key from the KMS, nothing will be able to decrypt the volume associated with it.

Load Balancer Service

You can store the SSL/TLS certificates for a "Terminated HTTPS listener" in the Nectar KMS and use them when creating a load balancer, see the Openstack Octavia documentation for an example.

Further information

Please see the Openstack Barbican documentation for more information on the service and examples that illustrate how to use the service. There is also an python client package that provides a python module for programmatic access, and a plugin for the "openstack" CLI tool.