[Opendnssec-user] SoftHSMv2: key extraction
pspacek at redhat.com
Fri Jun 20 16:48:56 UTC 2014
On 20.6.2014 18:27, Rick van Rein wrote:
>> Unfortunately, it is absolutely crucial feature and we can't migrate to v2 until we find a way how to do key exports.
> Are you talking about wrapped export, or plaintext export of private keys?
Well, the intent is to take keys from (local) SoftHSM, wrap them with
symmetric key and distribute resulting blobs to all nodes in a distributed
So if we speak about wrapped export, the requirement is to be able to use raw
symmetric key as wrapping key (without password->key derivation).
Of course, it would be better to use PKCS#11 as interface on top of the
distribution mechanism itself and omit "key export-import phase", but it will
take a long time to develop it. (However, it is the long-term plan.)
Maybe I should add that this key export-import will happen in memory of single
machine so there is not a huge risk.
>> I understand that it is not desirable to enable this by default, it is perfectly fine to provide key export in separate binary (i.e. not built-in into softhsm2-util).
> What you want is a bypass for private key protection… which is exactly what PKCS #11 is designed to avoid.
Please correct me if I'm wrong but my impression is that SoftHSM doesn't
provide *real* protection. The library and keys are loaded to process memory
(process = the PKCS#11 caller) ... Isn't it correct?
Some level of protection could be provided by process separation, i.e. one
process maintains key database and provides PKCS#11 interface and other
processes connect to the first process ('key keeper').
> This sounds to me like you should not be looking for problem resolution in SoftHSM, but in the surrounding process. It might transpire that your application is unsuitable for use with PKCS #11, or requires more advanced cryptography that can deal with encapsulated private keys.
As I said, I'm trying to solve key distribution problem in clustered environment.
For now I would like to get key extraction working in SoftHSM (either to get
plain text key or key wrapped with raw symmetric key).
I hope this explains the intent.
More information about the Opendnssec-user