From: Alex Elsayed <eternaleye@gmail.com>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] LUKS/cryptsetup with HSM
Date: Sun, 09 Mar 2014 13:45:38 -0700 [thread overview]
Message-ID: <lfijt4$r7$1@ger.gmane.org> (raw)
In-Reply-To: 20140306142945.GA16553@tansi.org
That may not be strictly true going forward - in particular, the combination
of the keyctl API (see "trusted keys"[1]) and the "trusted kernel" work[2]
(or possibly whatever name Phoronix comes up with if someone thinks Matthew
Garrett is bluffing) mean that "known to the kernel" == "accessible to root"
may not always hold.
An alternate dmsetup syntax that uses a key in a kernel-side keyring might
be all that's needed for such a thing.
[1]
https://git.kernel.org/cgit/linux/kernel/git/rusty/linux.git/tree/Documentation/security/keys-trusted-encrypted.txt
[2] http://thread.gmane.org/gmane.linux.kernel/1656312
Arno Wagner wrote:
> Hi,
>
> you cannot protect the encryption keys in an HSM. To be effective,
> they need to be known to the kernel and are hence exposed to
> root, see also FAQ Item 6.10. This is a fundamental limitation
> of software-nased encryption.
>
> Or maybe you want to _store_ the _passphrases_ in an HSM when not
> in use? In that case youmay want to feed them to cryptsetup via
> stdin, as described in the man-page.
>
> Arno
>
>
>
> On Thu, Mar 06, 2014 at 08:17:59 CET, Sharma, Manjari wrote:
>> Hi Cryptsetup team,
>>
>> This is Manjari Sharma from SafeNet. SafeNet is the largest company
>> exclusively focused on the protection of high-value information assets.
>> I'm trying to integrate our HSM with LUKS so that the encryption keys are
>> protected in an HSM.
>>
>> Could you please help to provide some pointer. I could not find anything
>> relevant after searching for hours, all I can be assured of is that it
>> can be done.
>>
>> Your help would be highly appreciated.
>>
>> Thanks,
>>
>> Kind Regards,
>> Manjari
>>
>> The information contained in this electronic mail transmission
>> may be privileged and confidential, and therefore, protected
>> from disclosure. If you have received this communication in
>> error, please notify us immediately by replying to this
>> message and deleting it from your computer without copying
>> or disclosing it.
>>
>>
>
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt@saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
>
>
next prev parent reply other threads:[~2014-03-09 20:45 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-06 7:17 [dm-crypt] LUKS/cryptsetup with HSM Sharma, Manjari
2014-03-06 14:29 ` Arno Wagner
2014-03-09 20:45 ` Alex Elsayed [this message]
2014-03-09 21:57 ` Arno Wagner
2014-03-09 22:02 ` Arno Wagner
2014-03-10 23:49 ` Alex Elsayed
2014-03-11 6:54 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='lfijt4$r7$1@ger.gmane.org' \
--to=eternaleye@gmail.com \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.