Menu
▾
▴
Re: [Ejbca-develop] Azure Key Vault for storing HSM backed EJBCA CA keys?
|
From: Jaime H. <hab...@gm...> - 2018-09-07 03:39:23
|
Hi Tomas, the patch I submitted is really bad quality (created one year ago just as a proof of concept) and the only reason that I sent it in the mailing list is because Rem...@al... (CCed) shown interest in working on this. On Wed, Sep 5, 2018 at 2:44 AM Tomas Gustavsson <to...@pr...> wrote: > > I created a ticket in Jira for EJBCA. > > If you register in Jira Jamie, I could put you as reported. > I had an user already, my username is "hablutzel1". > > https://jira.primekey.se/browse/ECA-7278 > > Cheers, > Tomas > > On 2018-09-05 09:31, Tomas Gustavsson wrote: > > > > Hi, > > > > That's really cool! > > > > I guess there is work needed in order to use the keys still, i.e. the: > > public static final String AZURE_PROVIDER_NAME = "MyProvider > Please see my comment on ECA-7278. > > > > Am I correct? > > > > Regards, > > Tomas > > > > > > On 2018-09-04 00:56, Jaime Hablutzel wrote: > >> I'm attaching a patch (over SVN trunk r26038) to provide EJBCA support > >> for storing keys in Azure Key Vault. > >> > >> Note that it is still a really ugly prototype!. > >> > >> Remco: Please signup to "ejb...@li... > >> <mailto:ejb...@li...>" and reply in this thread. > >> > >> On Fri, Jun 30, 2017 at 2:11 AM Tomas Gustavsson <to...@pr... > >> <mailto:to...@pr...>> wrote: > >> > >> > >> Yes, please contribute an implementation of this REST API, that > would be > >> awesome. > >> > >> Regards, > >> Tomas > >> > >> > >> --- > >> On June 30, 2017 3:43:58 AM GMT+02:00, Jaime Hablutzel Egoavil > >> <hab...@gm... <mailto:hab...@gm...>> wrote: > >> > >> Indeed, Azure Key Vault uses Thales nShield HSMs as indicated in > >> > https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys > : > >> > >> Azure Key Vault uses Thales nShield family of HSMs to > protect > >> your keys. > >> > >> > >> But they don't seem to provide a direct interface to the HSM > through > >> the native nShield PKCS #11 module; the native tools related > >> instructions in > >> > https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys > >> look related to a BYOK scenario, not for interfacing to Azure Key > Vault > >> for cryptographic operations. > >> > >> The only interface to Azure Key Vault that I've found is their > REST > >> API, from https://docs.microsoft.com/en-us/rest/api/keyvault/: > >> > >> Managing your key vaults as well as the keys, secrets, and > >> certificates within your key vaults can be accomplished through a > REST > >> interface. > >> ... > >> Managing within a Key Vault includes operations for > creating, > >> managing and executing cryptographic operations with keys, secrets > and > >> certificates within the Azure environment. > >> > >> > >> As long as I'm looking into this, the only option I think I > have is > >> to create a custom org.cesecore.keys.token.CryptoToken > implementation > >> and interface to Azure Key Vault through their REST API. > >> > >> What do you think?. > >> On 2017-06-29 23:20, Jaime Hablutzel Egoavil wrote: > >> > Thanks Herman, so you are saying that Azure Key Vault HSM > provides a > >> > PKCS #11 module to connect to their crypto services?, I've been > >> looking > >> > for this but I can't find anything. > >> > > >> > Could you provide me a reference please?. > >> > > >> > Regards. > >> > > >> > On Jun 28, 2017 9:02 PM, "Herman Vega" <hv...@gm... > >> <mailto:hv...@gm...> > >> > <mailto:hv...@gm... <mailto:hv...@gm...>>> wrote: > >> > > >> > Hi, > >> > > >> > Using azure key vault, is a very confortable option, because > azure > >> > deploy using Thales HSM, and they provide a direct connection > >> > protocol with the HSM, and is supported native by ejbca . So > is > >> > transparent to integrate. > >> > > >> > In security , it depends on what controls do you implement , > for > >> > example I don't know if in PERÚ local regulation allow to > operate > >> > without fips-140 level 3 mode, mostly required for advanced > >> digital > >> > signatures, like here en Chile. Consider keys in Thales > >> ncipher are > >> > stored outside the fips module, are stored in database or > >> filesystem > >> > crypted. > >> > > >> > Regards > >> > > >> > Enviado desde mi iPhone > >> > El 28-06-2017, a las 19:14, Jaime Hablutzel Egoavil > >> > <hab...@gm... <mailto:hab...@gm...> > >> <mailto:hab...@gm... <mailto:hab...@gm...>>> > escribió: > >> > > >> >> Hi everybody, nothing on this?. > >> >> > >> >> In countries like Peru it seems that you can comply with the > >> >> digital signatures regulation about requiring certified HSMs > by > >> >> storing CA keys on cloud HSMs like the ones offered by Azure > Key > >> >> Vault (i.e. as long as the key is generated in an HSM it > seems to > >> >> be ok for our regulation). > >> >> > >> >> Being this the case, if it would be possible to integrate > >> EJBCA to > >> >> Azure Key Vault it would become a really low cost > alternative for > >> >> some startup setups to deploy a certification authority. > >> >> > >> >> On Sat, May 27, 2017 at 1:56 AM, Jaime Hablutzel Egoavil > >> >> <hab...@gm... <mailto:hab...@gm...> > >> <mailto:hab...@gm... <mailto:hab...@gm...>>> wrote: > >> >> > >> >> Hi, I would like to hear your opinion about using Azure > Key > >> >> Vault HSM backed keys for running an EJBCA CA, > considering > >> >> that these keys can actually be generated inside or > >> transfered > >> >> (BYOK) to a Thales nShield HSM in Microsoft > infraestructure > >> >> and considering how cheap this service is ($1 per key per > >> >> month + $0.03 / 10,000 operations). > >> >> > >> >> Do you see any major security problem on this approach?. > >> >> > >> >> What about the changes required in EJBCA to make this > work > >> >> connecting to Azure Key Vault REST APIs?, are these > expected > >> >> to be minor changes?, does EJBCA currently support custom > >> >> implementations for CA key operations?. > >> >> > >> >> For Azure Key Vault and the HSMs it uses, > >> >> see > >> > https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys > >> >> > >> < > https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys > >. > >> >> > >> >> -- > >> >> Jaime Hablutzel - RPC 994690880 > >> >> > >> >> > >> >> > >> >> > >> >> -- > >> >> Jaime Hablutzel - RPC 994690880 > >> >> > >> > ------------------------------------------------------------------------------ > >> >> Check out the vibrant tech community on one of the world's > most > >> >> engaging tech sites, Slashdot.org <http://Slashdot.org>! > >> >> http://sdm.link/slashdot > >> >> _______________________________________________ > >> >> Ejbca-develop mailing list > >> >> Ejb...@li... > >> <mailto:Ejb...@li...> > >> >> <mailto:Ejb...@li... > >> <mailto:Ejb...@li...>> > >> >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >> >> <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > >> > > >> > > >> > ------------------------------------------------------------------------------ > >> > Check out the vibrant tech community on one of the world's > most > >> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >> > _______________________________________________ > >> > Ejbca-develop mailing list > >> > Ejb...@li... > >> <mailto:Ejb...@li...> > >> > <mailto:Ejb...@li... > >> <mailto:Ejb...@li...>> > >> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > >> > > >> > > >> > > >> > > >> > ------------------------------------------------------------------------------ > >> > Check out the vibrant tech community on one of the world's most > >> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >> > > >> > > >> > > >> > _______________________________________________ > >> > Ejbca-develop mailing list > >> > Ejb...@li... > >> <mailto:Ejb...@li...> > >> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >> > > >> > >> > ------------------------------------------------------------------------------ > >> Check out the vibrant tech community on one of the world's most > >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >> _______________________________________________ > >> Ejbca-develop mailing list > >> Ejb...@li... > >> <mailto:Ejb...@li...> > >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >> > >> > >> > >> -- > >> Jaime Hablutzel - RPC 994690880 > >> > >> > >> > ------------------------------------------------------------------------------ > >> Check out the vibrant tech community on one of the world's most > >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >> > >> > >> > >> _______________________________________________ > >> Ejbca-develop mailing list > >> Ejb...@li... > >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >> > > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > -- Jaime Hablutzel - RPC 994690880 |
