Menu
▾
▴
Re: [Ejbca-develop] Azure Key Vault for storing HSM backed EJBCA CA keys?
|
From: Tomas G. <to...@pr...> - 2018-09-07 05:26:35
|
We also have interest in working with this, so if possible at all, please continue the work here in the Community. It is very interesting for the project. Regards, Tomas On 2018-09-07 05:39, Jaime Hablutzel wrote: > Hi Tomas, the patch I submitted is really bad quality (created one year > ago just as a proof of concept) and the only reason that I sent it in > the mailing list is because Rem...@al... > <mailto:Rem...@al...> (CCed) shown interest in working on > this. > > On Wed, Sep 5, 2018 at 2:44 AM Tomas Gustavsson <to...@pr... > <mailto:to...@pr...>> wrote: > > > I created a ticket in Jira for EJBCA. > > If you register in Jira Jamie, I could put you as reported. > > > I had an user already, my username is "hablutzel1". > > > > https://jira.primekey.se/browse/ECA-7278 > > > > Cheers, > Tomas > > On 2018-09-05 09:31, Tomas Gustavsson wrote: > > > > Hi, > > > > That's really cool! > > > > I guess there is work needed in order to use the keys still, i.e. the: > > public static final String AZURE_PROVIDER_NAME = "MyProvider > > > Please see my comment on ECA-7278. > > > > > > Am I correct? > > > > Regards, > > Tomas > > > > > > On 2018-09-04 00:56, Jaime Hablutzel wrote: > >> I'm attaching a patch (over SVN trunk r26038) to provide EJBCA > support > >> for storing keys in Azure Key Vault. > >> > >> Note that it is still a really ugly prototype!. > >> > >> Remco: Please signup to "ejb...@li... > <mailto:ejb...@li...> > >> <mailto:ejb...@li... > <mailto:ejb...@li...>>" and reply in this thread. > >> > >> On Fri, Jun 30, 2017 at 2:11 AM Tomas Gustavsson > <to...@pr... <mailto:to...@pr...> > >> <mailto:to...@pr... <mailto:to...@pr...>>> wrote: > >> > >> > >> Yes, please contribute an implementation of this REST API, > that would be > >> awesome. > >> > >> Regards, > >> Tomas > >> > >> > >> --- > >> On June 30, 2017 3:43:58 AM GMT+02:00, Jaime Hablutzel Egoavil > >> <hab...@gm... <mailto:hab...@gm...> > <mailto:hab...@gm... <mailto:hab...@gm...>>> wrote: > >> > >> Indeed, Azure Key Vault uses Thales nShield HSMs as > indicated in > >> > https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys: > >> > >> Azure Key Vault uses Thales nShield family of HSMs to > protect > >> your keys. > >> > >> > >> But they don't seem to provide a direct interface to the > HSM through > >> the native nShield PKCS #11 module; the native tools related > >> instructions in > >> > https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys > >> look related to a BYOK scenario, not for interfacing to Azure > Key Vault > >> for cryptographic operations. > >> > >> The only interface to Azure Key Vault that I've found is > their REST > >> API, from https://docs.microsoft.com/en-us/rest/api/keyvault/: > >> > >> Managing your key vaults as well as the keys, > secrets, and > >> certificates within your key vaults can be accomplished > through a REST > >> interface. > >> ... > >> Managing within a Key Vault includes operations for > creating, > >> managing and executing cryptographic operations with keys, > secrets and > >> certificates within the Azure environment. > >> > >> > >> As long as I'm looking into this, the only option I think > I have is > >> to create a custom org.cesecore.keys.token.CryptoToken > implementation > >> and interface to Azure Key Vault through their REST API. > >> > >> What do you think?. > >> On 2017-06-29 23:20, Jaime Hablutzel Egoavil wrote: > >> > Thanks Herman, so you are saying that Azure Key Vault HSM > provides a > >> > PKCS #11 module to connect to their crypto services?, I've been > >> looking > >> > for this but I can't find anything. > >> > > >> > Could you provide me a reference please?. > >> > > >> > Regards. > >> > > >> > On Jun 28, 2017 9:02 PM, "Herman Vega" <hv...@gm... > <mailto:hv...@gm...> > >> <mailto:hv...@gm... <mailto:hv...@gm...>> > >> > <mailto:hv...@gm... <mailto:hv...@gm...> > <mailto:hv...@gm... <mailto:hv...@gm...>>>> wrote: > >> > > >> > Hi, > >> > > >> > Using azure key vault, is a very confortable option, > because azure > >> > deploy using Thales HSM, and they provide a direct > connection > >> > protocol with the HSM, and is supported native by ejbca > . So is > >> > transparent to integrate. > >> > > >> > In security , it depends on what controls do you > implement , for > >> > example I don't know if in PERÚ local regulation allow > to operate > >> > without fips-140 level 3 mode, mostly required for > advanced > >> digital > >> > signatures, like here en Chile. Consider keys in Thales > >> ncipher are > >> > stored outside the fips module, are stored in database or > >> filesystem > >> > crypted. > >> > > >> > Regards > >> > > >> > Enviado desde mi iPhone > >> > El 28-06-2017, a las 19:14, Jaime Hablutzel Egoavil > >> > <hab...@gm... <mailto:hab...@gm...> > <mailto:hab...@gm... <mailto:hab...@gm...>> > >> <mailto:hab...@gm... <mailto:hab...@gm...> > <mailto:hab...@gm... <mailto:hab...@gm...>>>> escribió: > >> > > >> >> Hi everybody, nothing on this?. > >> >> > >> >> In countries like Peru it seems that you can comply > with the > >> >> digital signatures regulation about requiring > certified HSMs by > >> >> storing CA keys on cloud HSMs like the ones offered by > Azure Key > >> >> Vault (i.e. as long as the key is generated in an HSM > it seems to > >> >> be ok for our regulation). > >> >> > >> >> Being this the case, if it would be possible to integrate > >> EJBCA to > >> >> Azure Key Vault it would become a really low cost > alternative for > >> >> some startup setups to deploy a certification authority. > >> >> > >> >> On Sat, May 27, 2017 at 1:56 AM, Jaime Hablutzel Egoavil > >> >> <hab...@gm... <mailto:hab...@gm...> > <mailto:hab...@gm... <mailto:hab...@gm...>> > >> <mailto:hab...@gm... <mailto:hab...@gm...> > <mailto:hab...@gm... <mailto:hab...@gm...>>>> wrote: > >> >> > >> >> Hi, I would like to hear your opinion about using > Azure Key > >> >> Vault HSM backed keys for running an EJBCA CA, > considering > >> >> that these keys can actually be generated inside or > >> transfered > >> >> (BYOK) to a Thales nShield HSM in Microsoft > infraestructure > >> >> and considering how cheap this service is ($1 per > key per > >> >> month + $0.03 / 10,000 operations). > >> >> > >> >> Do you see any major security problem on this > approach?. > >> >> > >> >> What about the changes required in EJBCA to make > this work > >> >> connecting to Azure Key Vault REST APIs?, are > these expected > >> >> to be minor changes?, does EJBCA currently support > custom > >> >> implementations for CA key operations?. > >> >> > >> >> For Azure Key Vault and the HSMs it uses, > >> >> see > >> > https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys > >> >> > >> > <https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys>. > >> >> > >> >> -- > >> >> Jaime Hablutzel - RPC 994690880 > >> >> > >> >> > >> >> > >> >> > >> >> -- > >> >> Jaime Hablutzel - RPC 994690880 > >> >> > >> > ------------------------------------------------------------------------------ > >> >> Check out the vibrant tech community on one of the > world's most > >> >> engaging tech sites, Slashdot.org <http://Slashdot.org>! > >> >> http://sdm.link/slashdot > >> >> _______________________________________________ > >> >> Ejbca-develop mailing list > >> >> Ejb...@li... > <mailto:Ejb...@li...> > >> <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > >> >> <mailto:Ejb...@li... > <mailto:Ejb...@li...> > >> <mailto:Ejb...@li... > <mailto:Ejb...@li...>>> > >> >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >> >> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > >> > > >> > > >> > ------------------------------------------------------------------------------ > >> > Check out the vibrant tech community on one of the > world's most > >> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >> > _______________________________________________ > >> > Ejbca-develop mailing list > >> > Ejb...@li... > <mailto:Ejb...@li...> > >> <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > >> > <mailto:Ejb...@li... > <mailto:Ejb...@li...> > >> <mailto:Ejb...@li... > <mailto:Ejb...@li...>>> > >> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >> > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > >> > > >> > > >> > > >> > > >> > ------------------------------------------------------------------------------ > >> > Check out the vibrant tech community on one of the world's most > >> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >> > > >> > > >> > > >> > _______________________________________________ > >> > Ejbca-develop mailing list > >> > Ejb...@li... > <mailto:Ejb...@li...> > >> <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > >> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >> > > >> > >> > ------------------------------------------------------------------------------ > >> Check out the vibrant tech community on one of the world's most > >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >> _______________________________________________ > >> Ejbca-develop mailing list > >> Ejb...@li... > <mailto:Ejb...@li...> > >> <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >> > >> > >> > >> -- > >> Jaime Hablutzel - RPC 994690880 > >> > >> > >> > ------------------------------------------------------------------------------ > >> Check out the vibrant tech community on one of the world's most > >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot > >> > >> > >> > >> _______________________________________________ > >> Ejbca-develop mailing list > >> Ejb...@li... > <mailto:Ejb...@li...> > >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >> > > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > <mailto:Ejb...@li...> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > <mailto:Ejb...@li...> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > -- > Jaime Hablutzel - RPC 994690880 > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
