[Opendnssec-develop] Creating tokens for SoftHSM

Jakob Schlyter jakob at kirei.se
Wed Feb 11 13:08:22 UTC 2009

what about this idea:

1. the SO can create a token using a program (called "softhsm"). one  
database file per token.

	softhsm --init --pin mekmitasdigoat /var/lib/softhsm/mytoken.db
	(if --pin is omitted, it will ask for the pin)

the private keys of the token is possible encrypted with the pin.

also, the softhsm utility could be used to export keys in standard PEM  
format. ultimately this should only be done by the SO, but since the  
app needs to be able to decrypt the keys, I guess we can allow export  
using the user PIN only.

	softhsm --export --pin mekmitasdigoat --label mykey --out mykey.key / 

(and no, normally you wouldn't specify the pin on the command-line -  
softhsm would ask for it on the tty)

2. a configuration file is used to map each file data to slot ("insert  
the token into the slot")

	slot0 = /var/lib/softhsm/mytoken.db
	slot1 = /var/lib/softhsm/yourtoken.db

3. the app links to the softhsm library and authenticates using the pin.

this scheme would also let you "unplug" the token from the slot and  
move it somewhere else. just like a smartcard.

would this be a resonable solution?


More information about the Opendnssec-develop mailing list