On Wed, Oct 28, 2020 at 9:43 AM Bruce Momjian <br...@momjian.us> wrote: >
> I don't know much about how to hook into that stuff so if you have an > idea, I am all ears. Yeah, I have a reasonable idea. The main thing will be to re-read the patch and put it into more concrete terms, which I'll try to find time for soon. I need to find time to craft a proper demo that uses a virtual hsm, and can also demonstrate how to use the host TPM or a Yubikey using the simple openssl engine interfaces or a URI. I have used OpenSSL with Yubikey via pksc11. You > can see the use of it on slide 57 and following: > > https://momjian.us/main/writings/crypto_hw_config.pdf#page=57 > > Interestingly, that still needed the user to type in a key to unlock the > Yubikey, so we might need PKCS11 and a password for the same server > start. > Yes, that's possible. But in that case the passphrase will be asked for by openssl only when required, and we'll need to supply an openssl askpass hook.