PKCS#11

Question

PKCS#11

dblas opened this issue 2 years ago · comments

Interesting project in security: new way of seeing key protection.
As you may know the standard interface towards historical HSM is PKCS#11.
That's the way we use to use remote HSMs to store Certification Authorities secrets and, more generally, private keys.
Any software that has to deal with such keys has a PKCS#11 interface (often through openssl).

How could we use ehsm that - old - way? Via a specific openssl plugin?
Thank you a lot,
db

Yan, Shaopu · Answer 1 · Wed Apr 20 2022 10:10:22 GMT+0800 (China Standard Time)

Hi dblas,

Thanks for your interest, the PKCS#11 interfaces are in future plan and currently are not supported yet.

Blas · Answer 2 · Thu Apr 21 2022 04:50:17 GMT+0800 (China Standard Time)

Hi dblas,

Thanks for your interest, the PKCS#11 interfaces are in future plan and currently are not supported yet.

Well, I'll wait but in the meantime is there a recipe showing how to make a reverse-proxy (apache, nginx) protect its private keys using eHSM?
Thanks,
db

Yan, Shaopu · Answer 3 · Thu Apr 21 2022 10:51:40 GMT+0800 (China Standard Time)

the simplest way to protect private keys is to generate a CMK and then use it to wrap/encrypt your private keys.