[Opendnssec-user] Moving HSM's

Rick van Rein rick at openfortress.nl
Mon Oct 8 10:31:00 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

> > I'm looking for documentation or methodology on how to move between
> > unlike HSM's - eg between the SoftHSM and a hardware version. Can this
> > be done easily or is this a 'first remove DS from parent' type
> > operation?
> > I would have thought that a number of OpenDNSSEC users would have
> > started using the SoftHSM and would later migrate to Hardware - so guess
> > someone has done this?
> 
> Does this help: https://dnssec.surfnet.nl/?p=771 ?

Yes, that should help you.  It is better than exporting your keys from
SoftHSM into a hardware HSM, because that would mean you protect your
keys well, but haven't done so in the past.  It'd never feel quite right.

The only thing in that direction could be to import the keys and then
to roll them.  I think the above, well-tested and well-documented,
procedure is better -- unless you know very well what you are doing.

- -Rick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: New to PGP? http://openfortress.nl/doc/essay/OpenPGP/index.nl.html

iEYEARECAAYFAlByq2QACgkQFBGpwol1RgaQpgCfcsuqawMCa9L1rC1MrWue562/
iZsAnAg4ZJllI9LFmBGUBBXcsb9eJA2x
=1ZpG
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list