[Opendnssec-user] Virtualization and HSM support
Jakob Schlyter
jakob at kirei.se
Thu Feb 6 11:04:31 UTC 2014
On 6 feb 2014, at 08:03, Matthijs Mekking <matthijs at NLnetLabs.nl> wrote on OpenDNSSEC-develop:
> During the OpenDNSSEC tutorial, I one of the attendants asked me if USB
> or PCI-based HSM worked well with virtualization, for example, to deploy
> an HSM to a host and run a bunch of virtual servers to provide the
> signing service to different "customers". Do you have any experience
> around that topic? Feel free to discuss the idea internally.
Passthrough would only work for one virtual server at a time, so sharing would not be very useful.
I would look into a PKCS#11 proxy [1] instead, basically creating your own networked HSM with a USB/PCI backend.
However, the "customers" would need to trust each somewhat, as they actually share tokens within the same HSM.
jakob
[1] https://github.com/SUNET/pkcs11-proxy
More information about the Opendnssec-user
mailing list