From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Sun, 9 Mar 2014 21:45:52 +0100 (CET) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1WMkbV-0007hM-Pj for dm-crypt@saout.de; Sun, 09 Mar 2014 21:45:49 +0100 Received: from c-50-132-41-203.hsd1.wa.comcast.net ([50.132.41.203]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 09 Mar 2014 21:45:49 +0100 Received: from eternaleye by c-50-132-41-203.hsd1.wa.comcast.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 09 Mar 2014 21:45:49 +0100 From: Alex Elsayed Date: Sun, 09 Mar 2014 13:45:38 -0700 Message-ID: References: <20140306142945.GA16553@tansi.org> Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7Bit Subject: Re: [dm-crypt] LUKS/cryptsetup with HSM List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de That may not be strictly true going forward - in particular, the combination of the keyctl API (see "trusted keys"[1]) and the "trusted kernel" work[2] (or possibly whatever name Phoronix comes up with if someone thinks Matthew Garrett is bluffing) mean that "known to the kernel" == "accessible to root" may not always hold. An alternate dmsetup syntax that uses a key in a kernel-side keyring might be all that's needed for such a thing. [1] https://git.kernel.org/cgit/linux/kernel/git/rusty/linux.git/tree/Documentation/security/keys-trusted-encrypted.txt [2] http://thread.gmane.org/gmane.linux.kernel/1656312 Arno Wagner wrote: > Hi, > > you cannot protect the encryption keys in an HSM. To be effective, > they need to be known to the kernel and are hence exposed to > root, see also FAQ Item 6.10. This is a fundamental limitation > of software-nased encryption. > > Or maybe you want to _store_ the _passphrases_ in an HSM when not > in use? In that case youmay want to feed them to cryptsetup via > stdin, as described in the man-page. > > Arno > > > > On Thu, Mar 06, 2014 at 08:17:59 CET, Sharma, Manjari wrote: >> Hi Cryptsetup team, >> >> This is Manjari Sharma from SafeNet. SafeNet is the largest company >> exclusively focused on the protection of high-value information assets. >> I'm trying to integrate our HSM with LUKS so that the encryption keys are >> protected in an HSM. >> >> Could you please help to provide some pointer. I could not find anything >> relevant after searching for hours, all I can be assured of is that it >> can be done. >> >> Your help would be highly appreciated. >> >> Thanks, >> >> Kind Regards, >> Manjari >> >> The information contained in this electronic mail transmission >> may be privileged and confidential, and therefore, protected >> from disclosure. If you have received this communication in >> error, please notify us immediately by replying to this >> message and deleting it from your computer without copying >> or disclosing it. >> >> > >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@saout.de >> http://www.saout.de/mailman/listinfo/dm-crypt > >