[dm-crypt] Managing wrapped key ciphers with cryptsetup

Milan Broz gmazyland at gmail.com
Sun Jul 9 16:58:23 CEST 2017


On 04/27/2017 05:09 PM, Hendrik Brueckner wrote:> 
> Of course, I think it is and I would be glad when we can work together
> on a solution.

Hi,

so I finally got through the discussion and the patches.

And no, I think this should not be a part of the cryptsetup core as it is.

I mentioned some reasons in the comment for merge request:
  https://gitlab.com/cryptsetup/cryptsetup/merge_requests/19

I understand that this is interesting for IBM to have supported
in enterprise distros. I would like to have some support
for this feature as well but not the way it will complicate code
for others and makes it HW-dependent for everyone.

I have mentioned some possible way how to do it in the comment as well.

(I think some external application linked to libcryptsetup,
and then handling your pAES algorithm and wrapped key just as
an another encryption algorithm is much cleaner.)

The pAES (and PKEY ioctls) are currently only available on IBM s390
(and I guess only on some models; guessing from Linux kernel sources),
so this is enterprise only thing.

BTW does Hercules emulator support this so a regular user
can try the HSM interface?
(I have probably access it to the real HW if needed but for other people.)

Thanks for patches and discussion anyway!

Milan



More information about the dm-crypt mailing list