[Opendnssec-user] SoftHSMv2: key extraction
Rick van Rein
rick at openfortress.nl
Mon Jun 23 16:22:39 UTC 2014
Yeah,
> However, with SoftHSM you still deal with key material in software, aka
> process memory of the CPU. The symmetric wrapping keys has no more
> protection than the private key to the wrapped.
True. But as long as it sits behind the generic PKCS #11 API that is a
choice made at deployment time by the operator; any other HSM can
replace it if so desired. Bypassing PKCS #11 to do all private key
processing in the PKCS #11 client software renders that option invalid.
-Rick
More information about the Opendnssec-user
mailing list