 Good morning everyone. How are you doing? Fantastic. That's quiet y'all are terrible. I need some energy up here My personality is naturally full of energy, so I need you guys to be just as energetic as I am So how are you doing this morning? Awesome. Thank you Thank you. I appreciate it. I need a little bit of confidence this morning So I've said it a hundred times most of you've been sitting in here the whole time, but again, please check out this etherpad It's gonna have everything digitally available for you So you can jump on there get all the commands that you need We also have the free note IRC available. Everybody that is our Barbican ears in the back It's gonna be answering questions for you live Feel free to raise your hand if you get stumped one of them will jump by and help you out But before we get started, I want to kind of get an idea. This is a beginners class And that's a little hard to define at a technical conference But what we are treating this is is kind of a I'm new to API's. I'm not sure how this works I want to create secrets. I want to interact with a Barbican. So how many of you would consider yourself to be a super user I am an API master. I Use curl on a daily basis. How about those? All right, I've used postman before Awesome, okay So it looks like we've got a lot of curl guys got some postman people if you're not familiar with these API's and stuff like that I highly highly highly highly recommend that you jump on Chrome and get postman And use the collection which is available on your workshop Handouts and on this etherpad Awesome. Let's get started So today just in case you were wondering where you're at. You're at Barbican securing your secrets We're gonna be talking about how to interact with Barbican what it is My portion here Will be I'm Chelsea Winfrey. I'm a developer for Barbican at the rack space My partner here is John Verbanek He will be doing the actual workshop and we've got a great set of team in the back Steve Heyman Doug the PTL And a bunch of other Barbican ears You can reach us at these this information Cool. So what are we gonna talk about today today? I want to talk about the importance of secret storage Why you should use Barbican what is Barbican and how do you use Barbican? Let's get started. So to me. There's really three components of secret storage Key management private data and trusted data Let's go over key management How many times have you asked yourself where my keys my house keys my car keys anything that nature? It's probably a daily question for some of us But something that we don't often ask ourselves is where shouldn't I put my keys, right? We walk in the house We dump them on the counter. It's fine. No big deal, but What about leaving them in your car? Is that a great idea you got them right if they're accessible to anybody that wants to Take your car, right? It's not great. Let's not do that How about inside of the car, right Got your key. Oh, I put it under the visor. They won't see it I don't know if you guys watch movies like I do but every movie I've seen it's like somebody hides the key there Thinking they're gonna get away with it and sure enough somebody steals the car right out from underneath them. Let's not do that either Next topic private data, so what is private data private data is anything that you don't want someone else to know about Medical records financial records contracts a surprise birthday party database passwords, whatever it is that data is secret to you That is a private data So this right here you're looking at is my business plan and This is my dog trying to tell you that he wrote my business plan, right? So how do you know you can trust where this data is coming from and how do you trust that what this data is? And we'll go into that a little bit more in depth But how do you know you can trust them and who do you trust? You guys all seen this right everybody's been on the internet before this little green bar This is SSL and TLS, but essentially this little green bar states That someone has verified that this company exists and that that data that you are getting is secure So this is kind of one one way that we define trust and show trust So why should you use barbican? How about these great three topics anybody familiar with these three? Can anybody be an expert on these now? Yeah Fantastic so Why barbican? Where is your key and where is your data something that is really important is using barbican? It is a secret storage place, so you store your private key in barbican You put your data elsewhere that way if someone compromises your system with the data They're not gonna have access to what it is if you're encrypting your data. What have you you won't have that issue So not storing your key in your car is very important. So we've got key management checked off Next why barbican private data encryption and decryption is hard anybody here familiar with cryptography and decryption Awesome. Can you tell me what this says? Nobody it's pretty difficult, right? This is encrypted data I don't want to personally be sitting in a room trying to type it out like oh figure out some math problems Just to decrypt this stuff. I want to make it too easy, but I also want it to be secure So saving that private key inside of barbican protects this from getting compromised I can show this to you and I won't I don't even remember what it is But you won't know what this is unless you have that key So cool now your data is private check that off Why barbican trusted data so we talked about that SSL that green trust bar, right? When you manage that private key that you're storing away secretly inside of your barbican with your bulldogs. What have you? You're making sure that that certificate is secure if they don't have the private key to compromise that certificate They can't impersonate you to another customer And when that customer can trust you by giving them their your credit and for their credit card information and their money And you don't mess it up ie target You build trust with that customer, right? So cool now we have trusted data So what is barbican what does it make so everybody here should be familiar with pythons that just open stack language It is open source Meaning that everybody has access to it And that's really important in the encryption world because you can see what's going in and coming out before you buy it Right, you don't want to they say oh, I have a super secret secret special Algorithm that's gonna protect your stuff. Well, you don't know what it is Maybe it's an easy thing to break a lot of the cryptography guys will sit in a room and try to break stuff all day But by having it open source, you know exactly what you're getting into and you know just how secure it is Secondly or thirdly I guess according this slide. It's incubated in open sex So right now we're trying to get a lot of buy-in So if you go back to your teams and your groups and be like oh barbican sounds really cool It'll help us get a step further I guess So it is an open stack we do have all that stuff available to you on the links provided It is a restful API and that's kind of what we're gonna cover today So going through that how it works And in the end you're gonna see this bullet point a whole lot more. It is a key management system Cool, so let's get before we get started with the actual workshop. Let's go over some of the tools of the trade We have a secret you've heard me say that a couple times. It's a singular item that is stored within barbican So when you store something inside of your barbican we call that a secret singular an order can be a timed secret generation or Certificate order or certificate purchase something of that nature. It does not necessarily have immediate action It can be prolonged over over some time and it'll track the history for you and show you like Oh, this is what the status of it is what have you a Container is exactly like it sounds it's a big box full of secret references now It's not the actual secrets. It is just a pointer to where those secrets live and that's important You'll see why moving forward Cool, so we've seen the slide is everybody set up and ready to go. We're about to get this thing run in It's gonna be fun. You're gonna have a great time for Bannock's gonna knock it out of the park You guys are gonna have a great time if you have any questions like I said raise your hand Got barbican ears in the back. We've got handouts if you don't have them in the back over there Ether pads available any questions before I move on anything Awesome you guys have been great now. I'm gonna hand it over to for Bannock awesome So good morning All right, so I'm gonna kind of walk you through some of the basic aspects of barbican and of itself Again, this is a very Basic overview of the different calls within barbican. We're gonna kind of go through each rest call Just give you an idea of what the data is what it you know what it does How? How you retrieve it all that kind of thing This is a very kind of hands-on Interactive session here, so At any time if you have questions or things like that We've got people an IRC channel etherpad and there's also a bunch of barbican ears in the back to answer your questions directly Depending on what they are With that in mind let's Let's talk about authentication really quick now One of the things that a lot of people may be may or may not be familiar with as this beginning as this is a beginner course I'm gonna kind of talk about authentication a little bit with Keystone Now we're not gonna go into the nitty-gritty of this. There's a lot of you know, very very smart people here Work on Keystone you have more questions They are a great resource for that kind of thing But really what we're interested in from a person from the perspective of a barbican is How do we know that our data is is Secure to only us and so we're gonna get kind of just talk about the little bit mainly just because each one of you Or are actually going to do this authentication step to talk to barbican So with that in mind anybody who's familiar with Keystone already should Understand this this quite well, but The whole premise of this is based on an actual token that we include to barbican, which tells barbican who we are and You know whether or not we actually have the correct credentials to access a specific secret or to conduct actions on on our secrets or like that so The basic authentication step of how we get a token is we have our user here little little guy in the left hand corner and he makes a call out to Keystone and says Hmm. I have these credentials I want to token Keystone with that with if the to if the credentials are correct then Keystone returns back gives us our our authentication token which then we can use for For all of our calls to barbican from that point forward The user makes a request to barbican whatever it may be To with the token included Barbican then just goes up to Keystone verifies that that token is correct if it is Returns us back the correct response now for anybody who's familiar with Keystone. This should look quite familiar And we'll actually look at making actually doing this here in a second Like right now All right, so just for those who are not familiar with making calls to Keystone this is kind of a very shortened version of this and You'll see in here that we just make a post call to Keystone We ask it for our tokens We include a password credentials obviously we'll have them each one of you has a username and password and a tenant on that worksheet that you're given Now as you might see from the people next to you all the passwords are the same so Be good citizens and don't try not to run over each other What we'll be working with is a very basic Most like it's like a pseudo development environment for barbican so and this is in no way secure But this is more of just a way for us to play with it in a contained environment here So you'll sit for on your handout you'll have a corresponding username password and tenant or a project So you'll use those and all of your calls When you make the recall when you make the request you'll then retrieve a response Where you'll see and here you'll have access token ID and That will be the the actual token that will you'll use for the rest of this workshop Two things to keep in mind on this if you're not familiar with with Keystone is that expired and issued Timestamps now for we set up this little development Keystone to give us about two hours So should be perfectly fine for this workshop But keep that in mind if for some odd reason you start getting an authentic or an authorized Type errors you might just need to re-authenticate Especially if you play with this after the workshop All right with that in mind let's Go ahead and hop in and grab your tokens and then we will move on If you have any questions we got people in the back we also Ever we've got a lot of people helping out on the workshop IRC Okay Grab your tokens and we'll give about a minute for this and just as a reminder if you do have if you're very new to apis and things like that we do have a Few cheat sheets for both postman and for curl So if you if you just kind of want to follow along, but you don't really want to go through all the steps of having to Write out the commands yourself Those are there for you to to work with so anybody need more time Raise your okay, we'll give it us a couple more minutes is Raise your hand if you need a little more time Okay, all right, so we're gonna go ahead and kind of move on a little bit here So so we can get to everything if you if you need a little help Raise your hand and a barbecue near can kind of help you through this Okay All right now that we actually have our authentication token we're going to Talk about secrets a little bit. What a secret is What kind of data is within it and a secret in of itself is Is just a singular item that contains Specific data that you consider secret along with that we kind of have it split into two different Two different categories of what is a part of a secret We have what's referred to as the metadata and we also have a payload and the metadata is Exactly what it sounds like. It's you know, we have things like content type and algorithm bit length Name mode expiration date all of which, you know, you don't necessarily need but it is very helpful to understand and document what that secret Actually is Along with that we have a payload now. We accept three different types of payloads. We accept plaintext base 64 payloads and Rob binary now We're not gonna really talk about Rob binary today as it's more of a advanced use case but if you're really curious about that there's plenty of a Barbican ears here and in the IRC channels which can kind of talk to you a little bit more about those use cases and And Give you a little more information around them with that in mind. We're gonna kind of look at creating a secret and so When we're creating a secret we actually make a post to our end point Slash v1 slash secrets We get we tell Barbican that the content type is application JSON We include most importantly our X off token Which indicates to Barbican who we are and whether or not we have permissions to access or in this case create a secret so you'll you make sure include that and We'll include a little body here In this case, we are gonna add the metadata Name for we can call it super secret thing just as because we want to we're gonna set an expiration date of Of Sometime this year and we have a payload of a string called beer because you obviously need an expiration date with beer anyhow, we're also gonna inform Barbican that our payload is a Text plane so just telling Barbican that it's a string pretty much that we're including in here when we post This to our end point we then get a response here and it is this quite long Secret reference now. This is a absolute reference to the location of your secret this is important from the context of if You might be familiar with more of a hideous based References and this is what that is now in this case We're not really going to talk about why that's important today, but if you're curious Only people in the back to kind of talk to you about that Suffice to say it's an absolute Place for our secret and where it is stored and how we can retrieve it So make sure once we make this call you'll want to save this secret ref for our following calls So let's go ahead and create our secret and we'll just give a couple minutes for this and then we'll We'll move on if you at any time you need help. There's people in the IRC room. There's people in the back There's also the ether pad So if anytime you need help just raise your hand and a Barbican near will come assist you again if you came in a little bit later, we also have Links there for cheat sheets to make this a little bit simpler if this is the first time you've You've worked with apis or worked with Any particular calls like this we'll give ourselves another minute or so and This will start getting a little bit easier and faster as we go on as a lot of the calls We'll start looking very similar If you need a little more time just raise your hand now that we've created a secret Let's retrieve its metadata. So in this case, we will be using a get call to the exact secret ref that we were given in the last call and what what you'll see here is the information we provided with a little extra more or a little extra data to Based on what we saw in one of the first slides when we're talking about metadata So you'll see in here. We'll have a created time and expert and updated time and expiration I Created time and updated time. They're important mainly for understanding when when the secret was When we issued a creation and whenever it actually Fully was updated in the DB We have the expiration we provided We also have a couple null values in here for mode algorithm bit links because we did not provide them we Also have a secret ref in here, which is just more of a verification. So when you're looking at The output of this kind of information It's it's exactly the same thing that you provided when you retrieve the the metadata But it's a nice verification of what you're actually looking at We also in this case we specified text plain for a content type So it's telling us that is the default that we are retrieving. So with that in mind let's go ahead and Grab the metadata and We'll give it just about a minute for this and then we'll we'll move on Raise your hand if you need a little more time Now that we've retrieved the secret metadata verified that actually what we Verified that what we created with is actually stored Let's actually retrieve the payload now in this case You do the exact same get on here we The only thing that's different about this to the last call is we tell barbican that we want to accept That rigid that content type that we specified When we saved when we created the secret in this case it was text plain. So we're gonna say We're gonna grab this secret Then we're gonna say except Text plain we're include our auth token as always and our response will be the string beer now I wish we could actually give it a nice little emoji there for beer, but yeah, I'm gonna do what you can So let's go ahead and retrieve the payload if you need more time raise your hand. Yeah, we'll give it another minute So by any more time Okay Now we've retrieved the payload which we've retrieved the metadata Let's talk about actually retrieving enlist of secrets now A lot of cases you know exactly the secrets that you've created You know you've created them you have absolute references to them and you might store that some someplace However, there's cases where that you've created a number of secrets But you don't know exactly what the references are this case. We provide a way to List out all of your secrets for a given user In this case It actually appears in a paginated form if you familiar with paginated interfaces essentially allows for you to specify You know a limit on the number of Number of secrets that you can return or items you can return and An offset to kind of how far you are in the stack With this it'll actually the content of each secret will look rather familiar Because it's exactly the same sort of metadata that we saw when we when we retrieve a secrets metadata Now this is actually where the metadata comes in handy to help identify whenever you're just looking through your secrets To figure out which one you were actually intending and from there you can grab your secret ref in this case You'll also see up there. There is a next Attribute in here now for all of your users because you unless you've been creating a whole bunch of secrets You won't see that until you go over the the Initial limit of 10 But if you care to experiment with that you can do that on it as well In this case with this user We've snipped some of this content here, but there's this user has around 3800 secrets in it, but yes, let's Go ahead and grab our list of secrets and just as a reminder always include your X off token and Yeah, let's grab our Our secrets in this case, especially since you if you only created one you should only see one in there Just as a anybody any more time raise your hand We've created got the metadata got the payload Got a list Let's actually delete it in this case Because each one of you has an admin role for your given project or your tenant You can actually delete however specifically with role-based access you can limit who can delete but for the Purposes of the workshop your user has permissions to do this This is very important in the sense of you wouldn't necessarily want a User-consuming just being able to delete a secret such as like a private key or a certificate because that could well Bring down an infrastructure if you're not careful so yes In theory if you change the roles in your own instance of Barbican You could reassign that if you really wanted to but For this specific instance of Barbican only the admin role can delete With this it is an HTTP delete to the secret ref so if you Try to do this to something else that I would hope it doesn't work but In this case just delete on the secret ref including your X off token and let's do that really quick Give us about 30 seconds to a minute Okay, ah So now at the moment and I forgot to mention this When we delete it's actually only a soft delete So in this case the secret still exists in the in the database But it is not accessible anymore. This is primarily so when you're talking about compliance and things like that where you have to Hold specific data for longer periods of time Then yes Yes, and we actually In theory all of that data is still in existence including the metadata It's just not accessible to the user If you start running through the DB you can then grab that information We have had discussions about how we deal with audit and We really haven't fleshed most of that out yet however for the moment our current answer is just a soft delete and if if we have to prove that the information still exists for an X period of time does that answer your question? So anybody need more time? Okay, we'll give us another 30 seconds. So updating secrets Yes, you can't update but it's in a very limited context and I Really didn't talk about this. So there's actually two different ways of creating a secret There is the way that we did it, which is the very simple including a payload in the initial post But there's also a what we refer to as a two-step secret Which is where you create the metadata for the secrets and then you then upload or you put to the secret with The binary contents or things like that. Now, that's that's only a one-time action so You can't re-re-update a secret and it's primarily just because You really don't want potentially overriding of secret content, but There is sort of a way to update. Does that answer your question? Do we need more time? Okay, so we talked about creating a secret retrieving the metadata of treating the payload Proving a list and deleting it. Let's talk about orders. So orders is a it's generally around What we consider to be workflows this case it's an action that will generate a secret so Exactly I like I was mentioning before it's an asynchronous operation. So it kind of encapsulates the entire workflow and the history of the secret creation so oftentimes this might be like say if you're creating a as a cell certificate that is a Long-term type process that might expand anywhere from you know a few minutes to days to weeks depending on the Certificate you're getting and from what CA? but in order with being an asynchronous type of creation it allows for Barbican to interact to a certificate authority or to a HSM or whatever whatever provider on the back end to create your secret, but in a long term not long term, but a potentially Lengthy process with that we're talking about creating an order. This is looks quite similar to some of the state looks quite similar to creating a secret In this case, it's just a post on end point slash version slash orders Like with a secret call secret creation call. We give it a content type and In this case, we're gonna give a body and we're gonna say we want a key back and Within that we're gonna include a metadata with a moded CBC bit length 256 algorithm a yes with a just a name for some metadata to know what it was and we want to Have that specified to be application octet stream for the way that the secret is retrieved If you're not familiar with what the mode bit length and algorithm are don't worry about it just use the values and It'll be fine like with secret we also get a reference on creation and you'll use that for Future calls The important thing about this is that that Is that the type could be like a certificate or it could be whatever? Plug-in back in that can support this kind of information. So in this case, we're just doing a key Which is an insecure key just to be clear here because this is not a secure version of Barbican But for the instance of this workshop is perfectly fine. So let's create an order really quick and Then we'll jump into some more actions question so The order is a asynchronous workflow. So, you know, in other words, you're having Barbican create a secret on your behalf So that could be a key a certificate Maybe you write something custom for for Barbican on your own instance of Barbican to to process something for you Whereas a secret of itself is that you are storing like, you know the contents already and It is a synchronous action where you say I want to store this this blob of data or this text For later retrieval ask your question for SSH keys. No I'm actually looking back there because it looked like one of my teammates was actually gonna say something All right, anybody any more time? Let's get one now. This should start looking rather familiar In this case, we're gonna use the order ref that we got we're going to Do a get call on that in this case you'll see a status on here, which is rather important from an asynchronous perspective Specifically like whenever you're creating say a certificate that you might want that status might be an appending or waiting on CA or There could be a plethora of different statuses that that could actually be depending on On your use case in this case We are Having Barbican create a insecure blob of data We considered to be a key so It's gonna be virtually go active immediately for you You'll see in here the data that we provided so our type The metadata we provided and you also see two things in here You'll see the order ref that which is just that verification piece and then we also see a secret ref and this is the actual reference reference to the secret that Barbican created for us so you can then retrieve that and Take a look at the information Barbican generated Likewise, you'll also have this created and updated now the created in itself is Yeah, the original timestamp the updated now this might be because this is a asynchronous workflow type process. This might be continuously updated Depending on How many steps in the process that you'd have to go through with that mind? Let's grab our order and just as a reminder if you Start running into issues or anything like that there is that lovely there's lovely cheat sheets that can Pretty much you can either copy and paste or use postman to kind of just point and click to the what you'd like to do For more advanced users. We do actually we are working on a command line client for a Barbican which One of the Barbican years can kind of talk you you through but for more of the Talking about the information that Barbican consumes and pushes out. It's a little bit easier to sometimes talk about the rest calls directly Anybody need more time? much like with secrets some cases that you might forget the reference or You just want to start looking through with the information the orders that you have created and With that we provided a paginated interface to To grab that information. So this little look just like the way secrets does with its interface So you'll have a next in there if you have more than 10 And you'll also have the order data directly available for you in this case We've shortened this up a little bit. This is just on Just retrieving the get on v1 slash orders Let's go ahead and do that really quick and then we will move on if you need more time raise your hand Okay Get some help or a question One of the Barbican ears get some help on the front here Not at the moment The question was is there a way to know whether or not the algorithms are what algorithms are supported? Not ideal, but we'll give another about 30 seconds. If you need any more time raise your hand Alrighty, let's delete it This case looks very similar to the way that secrets functions. So in this case, we'll make a delete call on the order ref Including our token to do so and Let's go ahead and do that Let just like with the secret this is bound to The given role that you are in this case because you're an admin role you can delete this But in a normal type environment You may not be able to depending on how you how your instance of Barbican is set up So we'll give it just a minute and then we'll Move on if you need a little more time raise your hands. Alrighty, so we've created an order. We've retrieved it to list deleted it Let's talk about containers. So containers is exactly what it sounds like. It is a grouping of secrets The primary use case for this is where you have a specific collection of secrets that you Kind of need to keep in one's one spot Okay, so this would be like a RSA key or certificate where you have to store a private key public key a Passphrase for it or the case of a certificate You might also have Intermediate chain or things like that to go along with it we also We do support three different types at the moment this case a certificate an RSA Typecontainer and a generic one a generic one you can use for Whatever you want you kind of mold it a little bit The example I believe that we're gonna be using here is an RS or actually we're gonna be using a generic container But if you're so interested you can play with a RSA container or a certificate to container on a different point So let's create one in this case. We're gonna make a post to v1 slash containers Including a content type are off-token in this case We're just gonna say it's a generic container the primary reason why we're doing this is so we Only have to provide one secret ref in in here right now This is mainly just for simplicity here In this case, we're gonna give it a an arbitrary name. We're gonna call it pit the pitcher and We're gonna give we have a list in here with a Name and a secret ref now. This requires you to Have a secret ref Which as you've deleted the the one you had earlier. You'll have to create another one for this But in this case whenever we create this when we create this the container We will get much like secrets and orders. We will get a reference back Telling us exactly where our container is and how you can retrieve it So let's go ahead and create a container really quick In case I didn't mention this before With a generic container you can add in as many secret refs to this as you want in more of an RSA container or a certificate container you are bound to specific secret elements that you have to fill in like a actual private key a private key passphrase and Public key who gives about 30 seconds. There's to a minute to create the container. So anybody need more time? Okay, we'll give it a little bit longer to be a little more time. We're good We're starting to run short on time. So I get through the rest of these really quick To retrieve a container much like with secrets and orders same sort of principle where we do a get call on The ref that we were reference URL that we were given in the creation step In this case you will see Much like the others we will have you know our type Name this case. There is a a field in here for consumers, which we're not going to go into If you're really interested the neutron and albask guys. This is something very specific for them But we're not really gonna dive deep into that if you're really interested Go catch one of the Barbican ears and they can kind of fill you in on what the use case for consumers are We have the secret refs that we were given and obviously our created update created and updated fields to follow along that mind let's grab it really quick and Let's move on so you mean for so So the the name itself is a key for Barbican to know what that secret is and this in a generic container It means nothing in a in a RSA container it that those actually indicate Mandatory fields sort of answer your question Any more time are we good? All right much like with secrets and orders this should look very familiar and grab the list of the containers Exact same paginated interface so figure out one figure them all out So let's go ahead and jump on that really quick and this is just on a get for v1 slash containers Anybody need a little more time Deleting it exactly the same as secrets and orders so this should look very familiar now So we do delete call on the reference Just like with secrets and orders. This is bound based on your user which you do have permissions for But let's just go ahead and delete it really quick anybody need a little more time awesome All right, you can contain your excitement now. Yeah. Yeah. Yeah. Yeah. All right, so we've created a container We've retrieved it created got the list of it and deleted the container itself So you've successfully gone through the majority of calls on Barbican The primary benefit of all this is is that the ways that you would normally create this stuff or normally store this information Barbican does it all for you. So in the case of see securely storing your secrets in this case Give Barbican your information through a creation or through a workflow order handles it all for you for a safe retrieval through your application or through Through some other integration so I'm sure how much time we actually have for questions here, but Yeah, if for slides those are available there if you're interested in more information about Barbican Yeah question. Yes. Currently in incubation. I shall let the pto answer that question Yes, so that that is purely just for this demo workshop Yes, there's a reason why we said is very insecure the the whole idea of this is if you want to put it behind SSL that's That's up to a deployment decision in this case with the little workshop environment We created we just tossed it up there and said everybody can play with it. So I'll get you that question a second so You could in this case if you wanted to create if you wanted to retrieve the secrets You most certainly could there was a secret that was created as a result of it Beyond that orders that the order itself is more of metadata to That gives you information about how the workflow is in progress So if you have that secret ref available, you can access the secret that was created as a result of it But in this case it was virtually instantaneous. So we didn't really see any any steps Yes, so in a real in a real world case you would create an order and Once the order has come to completion and has gone active then you would then retrieve the secret that was generated as a result of it Yes Yes, so in the theory of I mean Barbecue in itself while our defaults implementation is using Keystone That is also a deployment decision In some companies may not may not actually have Keystone for their authentication and they might write some other wrapper to proxy and deal with authentication and authorization for Barbequin being an open-stack Incubated project our primary concern is Keystone. So if there's problems with the Keystone then Yeah, Barbequin of itself abstracts out the the storage of your secrets from your own applications database or File system or whatever Into a its own service. It's that you can Essentially isolate off So it's it's handling the secure storage and You could all you could say transportation of those keys So that sort of answer your question in theory if you have rude access to Whatever machine or application that that has a key in memory then well That's yeah, you kind of have an in-game scenario there Thank you. Fantastic. And there's another question like that. It sounds like a great conversation to have offline now Barbequin guys the Barbequin guys will be We have a bunch of design sessions today, so feel free to attend some of those will be addressing a lot of these questions if we don't address some of those questions there will be here for pretty much the entire week working down over the design summit areas and Hammering out our release. So thank you for coming again. This is a Just kind of the basic overview of The rest calls that we were doing today if you you're curious about the slides Have those available also the etherpad. We'll leave this environment up for a couple more days Just don't know anything bad on it. Please I Would hate to get a call So yeah, thank you very much