SysEleven Stack uses the OpenStack component Barbican for secret storage. We introduced the Barbican secret storage first of all to provide a safe way to store SSL certificates and private keys for Octavia Load balancer as a Service.

The barbican secret storage is part of our global region. This means, similar to Keystone (Identity and Access) and Designate (DNSaaS), there is one API for all regions.

Barbican feature Supported
Secret storage and metadata Yes
Containers Yes
Access control lists Yes
Certificate orders No

Secret storage and metadata

All secrets are transferred and stored fully encrypted at all times. Metadata may not be stored fully encrypted.


Containers represent a set of secrets, for a certain purpose.

Containers can be of type generic, RSA, or Certificate.

Type Accompanied secret names
Generic No restrictions
RSA public_key, private_key, and private_key_passphrase
Certificate certificate and optionally private_key, private_key_passphrase, and intermediates

Access control lists

By default, secrets and containers are accessible for all users of a project (See the identity and access reference guide for more information about users, groups and projects).

Using access control lists, you can reduce access to certain users or groups.

Currently the access control list (ACL) settings defined for a container are not propagated down to associated secrets.

Known issues