[Opendnssec-user] Sun SCA6000 and on-board USB
rickard.bellgrim at iis.se
Sat May 22 16:41:40 UTC 2010
> If anyone could leak details on
> - the partition table scheme (f.ex. output of 'fdisk -l /dev/sdX'),
> - the filesystem type,
> - the tools used for partitioning and filesystem formatting (standard
> GNU/Linux fdisk and mkfs or something else?),
We formated the USB with these commands:
# Get the path to the USB stick
# Unmount it
sudo umount /media/XXXX-XXXX
# And format it
sudo mkfs.vfat -I /dev/sdX
> - card admin console commands
First login using admin tool or the serial interface. Then perform the following command to do backup (we use the serial interface).
sca6000, ...}> backup master-key
Backup file name: <name of backup file>
Backup file password: <password>
Confirm password: <password>
/usb0/<name of backup file>
> The SCA6000 User Guide only recommends some USB stick models but does
> not say anything about how the sticks should be initialized.
We use CORSAIR FLASH SURVIVOR 8GB USB 2.0
> ... And every time the SCA6000 diagnostics fails for the USB part that
> the stick cannot be used. The cards are not in FIPS mode.
The diagnostics for the USB always fails for us, so we do not perform the diagnostics with the USB attached. But it works to do backups and restoration to/from the USB.
> Of course we can backup the master key via the host but we'd rather
> avoid exposing the master key backup to the host (even though the backup
> will be encrypted).
Our first idea was to backup the master key to the USB and share this key between the cards. Then just have a cronjob which synchronize the key database file on disc.
The problem was that the second card did not recognize the key database file from the first card. The file could be backup and restored locally, but not with other cards. The key database file is probably encrypted using the master key in combination with the serial number.
The only solution was to do "backup keystore" and not "backup master" + synchronization of files. But if you want to do "backup keystore", then you have to have a SO logged in. And we did not want the this manual task every month. So we had to pregenerate keys for 10 years. Thus only doing this operation one time.
You also try the solution with a centralized keystore using LDAP.
More information about the Opendnssec-user