[Opendnssec-user] Migrating from SoftHSM1 to 2
Berry A.W. van Halderen
berry at nlnetlabs.nl
Thu Oct 10 07:58:22 UTC 2019
On 10/9/19 4:23 PM, Mathieu Arnold wrote:
> Hi,
>
> I am currently running tests with SoftHSM2 to make sure the migration
> from 1 to 2 goes without any hitch.
>
> The documentation of SoftHSM is pretty sparse, and I am wondering about
> objectstore.backend.
>
> The default is "file", which uses the filesystem as a database, and
> another possibility is "db" which uses a SQLite3 database instead of the
> filesystem, like SoftHSM1 used to do.
>
> I am wondering what are the pro and cons of each, knowing that my
> OpenDNSSEC installation has thousands of domains.
I'm not really sure on the design goals, so these are just my personal
observations.
The file db scatters keys over multiple files, making it harder for
attackers to find key material. It will also be faster. However the
SQLite3 is easier for operational environments to backup (just one file)
and is more transactional in that respect. Many just use file based as
it is the default.
\Berry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20191010/6417e6fc/attachment.bin>
More information about the Opendnssec-user
mailing list