On 20.6.2014 18:27, Rick van Rein wrote:
Unfortunately, it is absolutely crucial feature and we can't migrate to v2
until we find a way how to do key exports.
Are you talking about wrapped export, or plaintext export of private keys?
Well, the intent is to take keys from (local) SoftHSM, wrap them with
symmetric key and distribute resulting blobs to all nodes in a distributed
cluster.
So if we speak about wrapped export, the requirement is to be able to use raw
symmetric key as wrapping key (without password->key derivation).
Of course, it would be better to use PKCS#11 as interface on top of the
distribution mechanism itself and omit "key export-import phase", but it will
take a long time to develop it. (However, it is the long-term plan.)
Maybe I should add that this key export-import will happen in memory of single
machine so there is not a huge risk.
I understand that it is not desirable to enable this by default, it is
perfectly fine to provide key export in separate binary (i.e. not built-in into
softhsm2-util).
What you want is a bypass for private key protection… which is exactly what
PKCS #11 is designed to avoid.
Please correct me if I'm wrong but my impression is that SoftHSM doesn't
provide *real* protection. The library and keys are loaded to process memory
(process = the PKCS#11 caller) ... Isn't it correct?
Some level of protection could be provided by process separation, i.e. one
process maintains key database and provides PKCS#11 interface and other
processes connect to the first process ('key keeper').
This sounds to me like you should not be looking for problem resolution in
SoftHSM, but in the surrounding process. It might transpire that your
application is unsuitable for use with PKCS #11, or requires more advanced
cryptography that can deal with encapsulated private keys.
As I said, I'm trying to solve key distribution problem in clustered
environment.
For now I would like to get key extraction working in SoftHSM (either to get
plain text key or key wrapped with raw symmetric key).
I hope this explains the intent.
--
Petr^2 Spacek
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
