Menu
▾
▴
Re: [Ejbca-develop] Azure Key Vault for storing HSM backed EJBCA CA keys?
|
From: Tomas G. <to...@pr...> - 2018-09-05 07:43:37
|
I created a ticket in Jira for EJBCA. If you register in Jira Jamie, I could put you as reported. https://jira.primekey.se/browse/ECA-7278 Cheers, Tomas On 2018-09-05 09:31, Tomas Gustavsson wrote: > > Hi, > > That's really cool! > > I guess there is work needed in order to use the keys still, i.e. the: > public static final String AZURE_PROVIDER_NAME = "MyProvider > > Am I correct? > > Regards, > Tomas > > > On 2018-09-04 00:56, Jaime Hablutzel wrote: >> I'm attaching a patch (over SVN trunk r26038) to provide EJBCA support >> for storing keys in Azure Key Vault. >> >> Note that it is still a really ugly prototype!. >> >> Remco: Please signup to "ejb...@li... >> <mailto:ejb...@li...>" and reply in this thread. >> >> On Fri, Jun 30, 2017 at 2:11 AM Tomas Gustavsson <to...@pr... >> <mailto:to...@pr...>> wrote: >> >> >> Yes, please contribute an implementation of this REST API, that would be >> awesome. >> >> Regards, >> Tomas >> >> >> --- >> On June 30, 2017 3:43:58 AM GMT+02:00, Jaime Hablutzel Egoavil >> <hab...@gm... <mailto:hab...@gm...>> wrote: >> >> Indeed, Azure Key Vault uses Thales nShield HSMs as indicated in >> https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys: >> >> Azure Key Vault uses Thales nShield family of HSMs to protect >> your keys. >> >> >> But they don't seem to provide a direct interface to the HSM through >> the native nShield PKCS #11 module; the native tools related >> instructions in >> https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys >> look related to a BYOK scenario, not for interfacing to Azure Key Vault >> for cryptographic operations. >> >> The only interface to Azure Key Vault that I've found is their REST >> API, from https://docs.microsoft.com/en-us/rest/api/keyvault/: >> >> Managing your key vaults as well as the keys, secrets, and >> certificates within your key vaults can be accomplished through a REST >> interface. >> ... >> Managing within a Key Vault includes operations for creating, >> managing and executing cryptographic operations with keys, secrets and >> certificates within the Azure environment. >> >> >> As long as I'm looking into this, the only option I think I have is >> to create a custom org.cesecore.keys.token.CryptoToken implementation >> and interface to Azure Key Vault through their REST API. >> >> What do you think?. >> On 2017-06-29 23:20, Jaime Hablutzel Egoavil wrote: >> > Thanks Herman, so you are saying that Azure Key Vault HSM provides a >> > PKCS #11 module to connect to their crypto services?, I've been >> looking >> > for this but I can't find anything. >> > >> > Could you provide me a reference please?. >> > >> > Regards. >> > >> > On Jun 28, 2017 9:02 PM, "Herman Vega" <hv...@gm... >> <mailto:hv...@gm...> >> > <mailto:hv...@gm... <mailto:hv...@gm...>>> wrote: >> > >> > Hi, >> > >> > Using azure key vault, is a very confortable option, because azure >> > deploy using Thales HSM, and they provide a direct connection >> > protocol with the HSM, and is supported native by ejbca . So is >> > transparent to integrate. >> > >> > In security , it depends on what controls do you implement , for >> > example I don't know if in PERÚ local regulation allow to operate >> > without fips-140 level 3 mode, mostly required for advanced >> digital >> > signatures, like here en Chile. Consider keys in Thales >> ncipher are >> > stored outside the fips module, are stored in database or >> filesystem >> > crypted. >> > >> > Regards >> > >> > Enviado desde mi iPhone >> > El 28-06-2017, a las 19:14, Jaime Hablutzel Egoavil >> > <hab...@gm... <mailto:hab...@gm...> >> <mailto:hab...@gm... <mailto:hab...@gm...>>> escribió: >> > >> >> Hi everybody, nothing on this?. >> >> >> >> In countries like Peru it seems that you can comply with the >> >> digital signatures regulation about requiring certified HSMs by >> >> storing CA keys on cloud HSMs like the ones offered by Azure Key >> >> Vault (i.e. as long as the key is generated in an HSM it seems to >> >> be ok for our regulation). >> >> >> >> Being this the case, if it would be possible to integrate >> EJBCA to >> >> Azure Key Vault it would become a really low cost alternative for >> >> some startup setups to deploy a certification authority. >> >> >> >> On Sat, May 27, 2017 at 1:56 AM, Jaime Hablutzel Egoavil >> >> <hab...@gm... <mailto:hab...@gm...> >> <mailto:hab...@gm... <mailto:hab...@gm...>>> wrote: >> >> >> >> Hi, I would like to hear your opinion about using Azure Key >> >> Vault HSM backed keys for running an EJBCA CA, considering >> >> that these keys can actually be generated inside or >> transfered >> >> (BYOK) to a Thales nShield HSM in Microsoft infraestructure >> >> and considering how cheap this service is ($1 per key per >> >> month + $0.03 / 10,000 operations). >> >> >> >> Do you see any major security problem on this approach?. >> >> >> >> What about the changes required in EJBCA to make this work >> >> connecting to Azure Key Vault REST APIs?, are these expected >> >> to be minor changes?, does EJBCA currently support custom >> >> implementations for CA key operations?. >> >> >> >> For Azure Key Vault and the HSMs it uses, >> >> see >> https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys >> >> >> <https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys>. >> >> >> >> -- >> >> Jaime Hablutzel - RPC 994690880 >> >> >> >> >> >> >> >> >> >> -- >> >> Jaime Hablutzel - RPC 994690880 >> >> >> ------------------------------------------------------------------------------ >> >> Check out the vibrant tech community on one of the world's most >> >> engaging tech sites, Slashdot.org <http://Slashdot.org>! >> >> http://sdm.link/slashdot >> >> _______________________________________________ >> >> Ejbca-develop mailing list >> >> Ejb...@li... >> <mailto:Ejb...@li...> >> >> <mailto:Ejb...@li... >> <mailto:Ejb...@li...>> >> >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> >> <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> >> > >> > >> ------------------------------------------------------------------------------ >> > Check out the vibrant tech community on one of the world's most >> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> > _______________________________________________ >> > Ejbca-develop mailing list >> > Ejb...@li... >> <mailto:Ejb...@li...> >> > <mailto:Ejb...@li... >> <mailto:Ejb...@li...>> >> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> >> > >> > >> > >> > >> ------------------------------------------------------------------------------ >> > Check out the vibrant tech community on one of the world's most >> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> > >> > >> > >> > _______________________________________________ >> > Ejbca-develop mailing list >> > Ejb...@li... >> <mailto:Ejb...@li...> >> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> <mailto:Ejb...@li...> >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> >> >> >> -- >> Jaime Hablutzel - RPC 994690880 >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> >> >> >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
