[dm-crypt] LUKS/cryptsetup with HSM

Alex Elsayed eternaleye at gmail.com
Sun Mar 9 21:45:38 CET 2014


That may not be strictly true going forward - in particular, the combination 
of the keyctl API (see "trusted keys"[1]) and the "trusted kernel" work[2] 
(or possibly whatever name Phoronix comes up with if someone thinks Matthew 
Garrett is bluffing) mean that "known to the kernel" == "accessible to root" 
may not always hold.

An alternate dmsetup syntax that uses a key in a kernel-side keyring might 
be all that's needed for such a thing.

[1] 
https://git.kernel.org/cgit/linux/kernel/git/rusty/linux.git/tree/Documentation/security/keys-trusted-encrypted.txt
[2] http://thread.gmane.org/gmane.linux.kernel/1656312

Arno Wagner wrote:

> Hi,
> 
> you cannot protect the encryption keys in an HSM. To be effective,
> they need to be known to the kernel and are hence exposed to
> root, see also FAQ Item 6.10. This is a fundamental limitation
> of software-nased encryption.
> 
> Or maybe you want to _store_ the _passphrases_ in an HSM when not
> in use? In that case youmay want to feed them to cryptsetup via
> stdin, as described in the man-page.
> 
> Arno
> 
> 
> 
> On Thu, Mar 06, 2014 at 08:17:59 CET, Sharma, Manjari wrote:
>> Hi Cryptsetup team,
>> 
>> This is Manjari Sharma from SafeNet. SafeNet is the largest company
>> exclusively focused on the protection of high-value information assets.
>> I'm trying to integrate our HSM with LUKS so that the encryption keys are
>> protected in an HSM.
>> 
>> Could you please help to provide some pointer. I could not find anything
>> relevant after searching for hours, all I can be assured of is that it
>> can be done.
>> 
>> Your help would be highly appreciated.
>> 
>> Thanks,
>> 
>> Kind Regards,
>> Manjari
>> 
>> The information contained in this electronic mail transmission
>> may be privileged and confidential, and therefore, protected
>> from disclosure. If you have received this communication in
>> error, please notify us immediately by replying to this
>> message and deleting it from your computer without copying
>> or disclosing it.
>> 
>> 
> 
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt at saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
> 
> 



More information about the dm-crypt mailing list