[Opendnssec-develop] Make the keys extractable from HSM?

Roy Arends roy at nominet.org.uk
Tue Nov 24 09:06:39 UTC 2009

Rickard Bellgrim <rickard.bellgrim at iis.se> wrote on 11/24/2009 08:54:22 

> > By default, no. Default should be to have it not exportable. Flipping
> > the 'exportable bit' must also be a one way function. You can switch
> > from exportable to not exportable, but not from not-exportable to
> > exportable.
> Yeah. This is something that can only be done when you are creating 
> the key (setting the key to extractable).


> > In general, keys only need to be exportable when an HSM roll is due. 
> > that time, a key can be generated that is exportable.
> > 
> > > Just want to discuss this topic, so that we do not lock the user
> > > down. Or is it better to protect against a potential threat of
> > leaking keys?
> > 
> > IMHO it is not a mutual exclusive choice. We need to protect against a
> > potential threat of leaking keys all the time, but only enable the 
> > to export the key as an explicit conscious choice.
> Ok, sounds like a feature for version 2.0. The HSMs are probably not
> going to be rolled in this time frame.

As for replication of the keystore (backup, fallback, failover purposes), 
some HSMs have functionality for that, independent of applications that 
are using the HSM. (as an example, 'scamgr backup' provides this for Sun's 

As for rolling to a new HSM, that can be done without exporting keys, by 
aligning a key-roll with hsm-roll.

So, I concur. This feature is not needed for version 1.0, but lets make 
sure that by default, the keys that are generated are not exportable.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091124/0cc8a64a/attachment.htm>

More information about the Opendnssec-develop mailing list