[Softhsm-develop] Root of trust in SoftHSM
Full Name
nuncestbibendum at excite.com
Tue Apr 6 13:25:05 UTC 2021
My questions are to do with how key material that has been generated within (or loade into) SoftHSM is protected when in permanent storage. My guess is that it is encrypted with a symmetric key available to SoftHSM alone, that will be fed to AES - or something similar - to decrypt (or encrypt) the key material as necessary. On this basis my questions are the following:
1. Is the mechanism described even close to the approach taken by SoftHSM? Either way, where is the mechanism used described?
2. Assuming hereinafter that a root symmetric key is indeed used to protect the key material in permanent storage, where is that symmetric key coming from?
3. Is the root symmetric key generated based on the SO, or CO, credentials?
4. Is the root symmetric key stored somewhere, obfuscated but in the clear?
5. Does SoftHSM provide the capability to retrieve this root symmetric key from some separate piece of hardware, such as a TPM or a YubiKey?
More information about the Softhsm-develop
mailing list