[Opendnssec-develop] Virtualization and HSM support
Jerry Lundström
jerry at opendnssec.org
Thu Feb 6 10:29:30 UTC 2014
Maybe move this dicussion to the user list since replies from Sebastian
will get stuck for approval and info might be useful for others?
--
Jerry Lundström - OpenDNSSEC Developer
http://www.opendnssec.org/
On 6 feb 2014, at 11:08, Jakob Schlyter <jakob at kirei.se> wrote:
On 6 feb 2014, at 08:03, Matthijs Mekking <matthijs at NLnetLabs.nl> wrote:
During the OpenDNSSEC tutorial, I one of the attendants asked me if USB
or PCI-based HSM worked well with virtualization, for example, to deploy
an HSM to a host and run a bunch of virtual servers to provide the
signing service to different "customers". Do you have any experience
around that topic? Feel free to discuss the idea internally.
Passthrough would only work for one virtual server at a time, so sharing
would not be very useful.
I would look into a PKCS#11 proxy [1] instead, basically creating your own
networked HSM with a USB/PCI backend.
However, the "customers" would need to trust each somewhat, as they
actually share tokens within the same HSM.
jakob
[1] https://github.com/SUNET/pkcs11-proxy
_______________________________________________
Opendnssec-develop mailing list
Opendnssec-develop at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20140206/daed678d/attachment.htm>
More information about the Opendnssec-develop
mailing list