From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm0-x242.google.com (mail-wm0-x242.google.com [IPv6:2a00:1450:400c:c09::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Sun, 15 May 2016 19:48:03 +0200 (CEST) Received: by mail-wm0-x242.google.com with SMTP id e201so13530801wme.2 for ; Sun, 15 May 2016 10:48:03 -0700 (PDT) References: From: Milan Broz Message-ID: <5738B651.8040105@gmail.com> Date: Sun, 15 May 2016 19:48:01 +0200 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] PKCS#11 support in cryptsetup List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Johanna A , dm-crypt@saout.de On 05/07/2016 09:03 AM, Johanna A wrote: > In a comment to the last pull request I suggest adding pkcs#11 support > in cryptsetup in a similar way as to how keyfiles are handled. In a > way keyfiles and pkcs#11 data objects are quite similar. Both are > accessiable via an URI (https://tools.ietf.org/html/rfc7512), both can > be read depending on size or until EOF. Hi, in new version of LUKS we plan to add some kind of token support (at least to store some metadata inside LUKS to identify what token can open particular keyslots and that token will contain data to open particular keyslot). Anyway, PKCS#11 is one of example I would like to see to be tested from the beginning. What library it should use is another question. It would be nice if you can create "feature request" issue on cryptsetup gitlab page (https://gitlab.com/cryptsetup/cryptsetup/issues) and link your code (and possibly previous discussion) there. We will return to that later (in guess in 1-2 months, unfortunately...) and I update the issue there once this happens. Thanks, Milan