From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Mon, 4 Nov 2019 15:33:56 +0100 (CET) Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id xA4EMWDo032814 for ; Mon, 4 Nov 2019 09:24:44 -0500 Received: from e06smtp03.uk.ibm.com (e06smtp03.uk.ibm.com [195.75.94.99]) by mx0b-001b2d01.pphosted.com with ESMTP id 2w2macvxxa-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 04 Nov 2019 09:24:44 -0500 Received: from localhost by e06smtp03.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 4 Nov 2019 14:24:41 -0000 References: <66a92cda384e4325bb5cacf59e0d77a2@DE0-44DAG04-P01.central.mail.corp> From: Ingo Franzki Date: Mon, 4 Nov 2019 15:24:42 +0100 MIME-Version: 1.0 In-Reply-To: <66a92cda384e4325bb5cacf59e0d77a2@DE0-44DAG04-P01.central.mail.corp> Content-Type: text/plain; charset="windows-1252" Content-Language: en-US Content-Transfer-Encoding: quoted-printable Message-Id: <8145e337-5694-41ac-b347-b42a03cb4ebf@linux.ibm.com> Subject: Re: [dm-crypt] LUKS + HSM List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "FERON, Laurent (SOGETI REGIONS SAS)" , "dm-crypt@saout.de" On 04.11.2019 14:55, FERON, Laurent (SOGETI REGIONS SAS) wrote: > Hello All > Is it possible to use LUKS with an HSM? Apparently yes based on some page= s on the Net, but it is not well explained how to proceed this integration = (through P11). > I would like a maximum crypto operations performed within the HSM without= the any human operations. > Which key can we use in the HSM (symmetric, asymmetric, or asymmetric wit= h certificate)? > Once done, is it possible to renew the keys? Etc ... > If someone has already added a HSM for LUKS and can give advices it will = help me a lot ... Thanks > Laurent Hi Laurent, not sure if this is exactly what you are looking for, but there is a soluti= on for sing secure keys (i.e. keys encrypted by a master key of an HSM) wit= h dm-crypt for the IBM Z (s390x) architecture.=20 It is making use of a special kernel cipher called 'paes' which can be used= with dm-crypt transparently, but uses secure keys as input. Due to perform= ance reasons it transforms the secure keys with the help of the HSM into so= called protected keys, which is a similar concept as secure keys, just tha= t a protected key is encrypted by a master key of the firmware, instead of = the HSM. With that protected key, the paes cipher can then encrypt mass-dat= a with the help of hardware crypto support of IBM Z. You don't really want= to encrypt mass-data with a secure key where you have to go to the HSM for= each and every block of data to en/decrypt. This would not perform well fo= r mass-data, such as for db-crypt. More to read about that support for Linux on IBM Z: https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.l= xdc/lxdc_linuxonz.html http://www.vmworkshop.org/2019/present/lxendend.pdf Kind regards, Ingo >=20 > The information in this e-mail is confidential. The contents may not be d= isclosed or used by anyone other than the addressee. Access to this e-mail = by anyone else is unauthorised. > If you are not the intended recipient, please notify Airbus immediately a= nd delete this e-mail. > Airbus cannot accept any responsibility for the accuracy or completeness = of this e-mail as it has been sent over public networks. If you have any co= ncerns over the content of this message or its Accuracy or Integrity, pleas= e contact Airbus immediately. > All outgoing e-mails from Airbus are checked using regularly updated viru= s scanning software but you should take whatever measures you deem to be ap= propriate to ensure that this message and any attachments are virus free. >=20 >=20 > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > https://www.saout.de/mailman/listinfo/dm-crypt >=20 --=20 Ingo Franzki eMail: ifranzki@linux.ibm.com =20 Tel: ++49 (0)7031-16-4648 Fax: ++49 (0)7031-16-3456 Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany IBM Deutschland Research & Development GmbH / Vorsitzender des Aufsichtsrat= s: Matthias Hartmann Gesch=E4ftsf=FChrung: Dirk Wittkopp Sitz der Gesellschaft: B=F6blingen / Registergericht: Amtsgericht Stuttgart= , HRB 243294 IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/