[dm-crypt] LUKS/cryptsetup with HSM
eternaleye at gmail.com
Sun Mar 9 21:45:38 CET 2014
That may not be strictly true going forward - in particular, the combination
of the keyctl API (see "trusted keys") and the "trusted kernel" work
(or possibly whatever name Phoronix comes up with if someone thinks Matthew
Garrett is bluffing) mean that "known to the kernel" == "accessible to root"
may not always hold.
An alternate dmsetup syntax that uses a key in a kernel-side keyring might
be all that's needed for such a thing.
Arno Wagner wrote:
> you cannot protect the encryption keys in an HSM. To be effective,
> they need to be known to the kernel and are hence exposed to
> root, see also FAQ Item 6.10. This is a fundamental limitation
> of software-nased encryption.
> Or maybe you want to _store_ the _passphrases_ in an HSM when not
> in use? In that case youmay want to feed them to cryptsetup via
> stdin, as described in the man-page.
> On Thu, Mar 06, 2014 at 08:17:59 CET, Sharma, Manjari wrote:
>> Hi Cryptsetup team,
>> This is Manjari Sharma from SafeNet. SafeNet is the largest company
>> exclusively focused on the protection of high-value information assets.
>> I'm trying to integrate our HSM with LUKS so that the encryption keys are
>> protected in an HSM.
>> Could you please help to provide some pointer. I could not find anything
>> relevant after searching for hours, all I can be assured of is that it
>> can be done.
>> Your help would be highly appreciated.
>> Kind Regards,
>> The information contained in this electronic mail transmission
>> may be privileged and confidential, and therefore, protected
>> from disclosure. If you have received this communication in
>> error, please notify us immediately by replying to this
>> message and deleting it from your computer without copying
>> or disclosing it.
>> dm-crypt mailing list
>> dm-crypt at saout.de
More information about the dm-crypt