[Opendnssec-user] SoftHSMv2: key extraction

Rick van Rein rick at openfortress.nl
Mon Jun 23 16:22:39 UTC 2014


> However, with SoftHSM you still deal with key material in software, aka
> process memory of the CPU. The symmetric wrapping keys has no more
> protection than the private key to the wrapped.

True.  But as long as it sits behind the generic PKCS #11 API that is a
choice made at deployment time by the operator; any other HSM can
replace it if so desired.  Bypassing PKCS #11 to do all private key
processing in the PKCS #11 client software renders that option invalid.


More information about the Opendnssec-user mailing list