[Opendnssec-user] SoftHSMv2: key extraction

[Paul Wouters]

On Fri, 20 Jun 2014, Rick van Rein wrote:

> What you want is a bypass for private key protection… which is exactly what PKCS #11 is designed to avoid.

But the key extraction could be via non-PKCS#11 method. It could also
insist on some additional permissions (unix, selinux or otherwise).

> This sounds to me like you should not be looking for problem resolution in SoftHSM, but in the surrounding process.  It might transpire that your application is unsuitable for use with PKCS #11, or requires more advanced cryptography that can deal with encapsulated private keys.

hardware HSMs often also allow some kind of export, to allow running the
same private keys amonst shared devices. Usually, after sharing they
can be put into a no-more-export mode. With softhsm, the library could
still not allow any exports while some softhsm util could allow this.

Paul
(note that I don't know the details of Petr's requirements)