[Opendnssec-user] Virtualization and HSM support

Jakob Schlyter jakob at kirei.se
Thu Feb 6 11:04:31 UTC 2014

On 6 feb 2014, at 08:03, Matthijs Mekking <matthijs at NLnetLabs.nl> wrote on OpenDNSSEC-develop:

> During the OpenDNSSEC tutorial, I one of the attendants asked me if USB
> or PCI-based HSM worked well with virtualization, for example, to deploy
> an HSM to a host and run a bunch of virtual servers to provide the
> signing service to different "customers". Do you have any experience
> around that topic? Feel free to discuss the idea internally.

Passthrough would only work for one virtual server at a time, so sharing would not be very useful.
I would look into a PKCS#11 proxy [1] instead, basically creating your own networked HSM with a USB/PCI backend.

However, the "customers" would need to trust each somewhat, as they actually share tokens within the same HSM.


[1] https://github.com/SUNET/pkcs11-proxy

More information about the Opendnssec-user mailing list