Menu
▾
▴
Re: [Ejbca-develop] Azure Key Vault for storing HSM backed EJBCA CA keys?
|
From: Tomas G. <to...@pr...> - 2018-09-05 07:31:20
|
Hi, That's really cool! I guess there is work needed in order to use the keys still, i.e. the: public static final String AZURE_PROVIDER_NAME = "MyProvider Am I correct? Regards, Tomas On 2018-09-04 00:56, Jaime Hablutzel wrote: > I'm attaching a patch (over SVN trunk r26038) to provide EJBCA support > for storing keys in Azure Key Vault. > > Note that it is still a really ugly prototype!. > > Remco: Please signup to "ejb...@li... > <mailto:ejb...@li...>" and reply in this thread. > > On Fri, Jun 30, 2017 at 2:11 AM Tomas Gustavsson <to...@pr... > <mailto:to...@pr...>> wrote: > > > Yes, please contribute an implementation of this REST API, that would be > awesome. > > Regards, > Tomas > > > --- > On June 30, 2017 3:43:58 AM GMT+02:00, Jaime Hablutzel Egoavil > <hab...@gm... <mailto:hab...@gm...>> wrote: > > Indeed, Azure Key Vault uses Thales nShield HSMs as indicated in > https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys: > > Azure Key Vault uses Thales nShield family of HSMs to protect > your keys. > > > But they don't seem to provide a direct interface to the HSM through > the native nShield PKCS #11 module; the native tools related > instructions in > https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys > look related to a BYOK scenario, not for interfacing to Azure Key Vault > for cryptographic operations. > > The only interface to Azure Key Vault that I've found is their REST > API, from https://docs.microsoft.com/en-us/rest/api/keyvault/: > > Managing your key vaults as well as the keys, secrets, and > certificates within your key vaults can be accomplished through a REST > interface. > ... > Managing within a Key Vault includes operations for creating, > managing and executing cryptographic operations with keys, secrets and > certificates within the Azure environment. > > > As long as I'm looking into this, the only option I think I have is > to create a custom org.cesecore.keys.token.CryptoToken implementation > and interface to Azure Key Vault through their REST API. > > What do you think?. > On 2017-06-29 23:20, Jaime Hablutzel Egoavil wrote: > > Thanks Herman, so you are saying that Azure Key Vault HSM provides a > > PKCS #11 module to connect to their crypto services?, I've been > looking > > for this but I can't find anything. > > > > Could you provide me a reference please?. > > > > Regards. > > > > On Jun 28, 2017 9:02 PM, "Herman Vega" <hv...@gm... > <mailto:hv...@gm...> > > <mailto:hv...@gm... <mailto:hv...@gm...>>> wrote: > > > > Hi, > > > > Using azure key vault, is a very confortable option, because azure > > deploy using Thales HSM, and they provide a direct connection > > protocol with the HSM, and is supported native by ejbca . So is > > transparent to integrate. > > > > In security , it depends on what controls do you implement , for > > example I don't know if in PERÚ local regulation allow to operate > > without fips-140 level 3 mode, mostly required for advanced > digital > > signatures, like here en Chile. Consider keys in Thales > ncipher are > > stored outside the fips module, are stored in database or > filesystem > > crypted. > > > > Regards > > > > Enviado desde mi iPhone > > El 28-06-2017, a las 19:14, Jaime Hablutzel Egoavil > > <hab...@gm... <mailto:hab...@gm...> > <mailto:hab...@gm... <mailto:hab...@gm...>>> escribió: > > > >> Hi everybody, nothing on this?. > >> > >> In countries like Peru it seems that you can comply with the > >> digital signatures regulation about requiring certified HSMs by > >> storing CA keys on cloud HSMs like the ones offered by Azure Key > >> Vault (i.e. as long as the key is generated in an HSM it seems to > >> be ok for our regulation). > >> > >> Being this the case, if it would be possible to integrate > EJBCA to > >> Azure Key Vault it would become a really low cost alternative for > >> some startup setups to deploy a certification authority. > >> > >> On Sat, May 27, 2017 at 1:56 AM, Jaime Hablutzel Egoavil > >> <hab...@gm... <mailto:hab...@gm...> > <mailto:hab...@gm... <mailto:hab...@gm...>>> wrote: > >> > >> Hi, I would like to hear your opinion about using Azure Key > >> Vault HSM backed keys for running an EJBCA CA, considering > >> that these keys can actually be generated inside or > transfered > >> (BYOK) to a Thales nShield HSM in Microsoft infraestructure > >> and considering how cheap this service is ($1 per key per > >> month + $0.03 / 10,000 operations). > >> > >> Do you see any major security problem on this approach?. > >> > >> What about the changes required in EJBCA to make this work > >> connecting to Azure Key Vault REST APIs?, are these expected > >> to be minor changes?, does EJBCA currently support custom > >> implementations for CA key operations?. > >> > >> For Azure Key Vault and the HSMs it uses, > >> see > https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys > >> > <https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys>. > >> > >> -- > >> Jaime Hablutzel - RPC 994690880 > >> > >> > >> > >> > >> -- > >> Jaime Hablutzel - RPC 994690880 > >> > ------------------------------------------------------------------------------ > >> Check out the vibrant tech community on one of the world's most > >> engaging tech sites, Slashdot.org <http://Slashdot.org>! > >> http://sdm.link/slashdot > >> _______________________________________________ > >> Ejbca-develop mailing list > >> Ejb...@li... > <mailto:Ejb...@li...> > >> <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >> <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > > > > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > <mailto:Ejb...@li...> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > <mailto:Ejb...@li...> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > -- > Jaime Hablutzel - RPC 994690880 > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
