[dm-crypt] LUKS/cryptsetup with HSM

Arno Wagner arno at wagner.name
Thu Mar 6 15:29:45 CET 2014


you cannot protect the encryption keys in an HSM. To be effective,
they need to be known to the kernel and are hence exposed to
root, see also FAQ Item 6.10. This is a fundamental limitation 
of software-nased encryption. 

Or maybe you want to _store_ the _passphrases_ in an HSM when not 
in use? In that case youmay want to feed them to cryptsetup via 
stdin, as described in the man-page.


On Thu, Mar 06, 2014 at 08:17:59 CET, Sharma, Manjari wrote:
> Hi Cryptsetup team,
> This is Manjari Sharma from SafeNet. SafeNet is the largest company
> exclusively focused on the protection of high-value information assets. 
> I'm trying to integrate our HSM with LUKS so that the encryption keys are
> protected in an HSM.
> Could you please help to provide some pointer. I could not find anything
> relevant after searching for hours, all I can be assured of is that it can
> be done.
> Your help would be highly appreciated.
> Thanks,
> Kind Regards,
> Manjari
> The information contained in this electronic mail transmission 
> may be privileged and confidential, and therefore, protected 
> from disclosure. If you have received this communication in 
> error, please notify us immediately by replying to this 
> message and deleting it from your computer without copying 
> or disclosing it.

> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -  Plato

More information about the dm-crypt mailing list