On Срд, 15 ліс 2023, John Phillips via FreeIPA-users wrote:
As most servers, physical and virtual are now equipped with a TPM, are
there any plans to leverage this to store keys for FreeIPA?
We have a use-case where freeipa is a sub-ca and the root-ca will sign
our cert. Ideally we would like to store the private keys in TPM -
specifically AWS NitroTPM
I know that HSM has recently been supported - is it feasible to
leverage a similar process to support TPMs?
HSM support in FreeIPA is not yet complete, work on it is ongoing in
https://github.com/freeipa/freeipa/pull/6714
Dogtag PKI relies on NSS library to store private keys for CA and HSM
integration is based on the fact that you can access those devices via
PKCS#11 token. So if you have TPM2/PKCS#11 bridge, that might be an
option eventually.
I see there is https://github.com/tpm2-software/tpm2-pkcs11 that
represents TPM 2.0 devices as PKCS#11 tokens.
From FreeIPA prespective a key requirement in HSM use in production is
that replication of the key material is then delegated to HSM
implementation. Many commercial HSM products are actually 'network-based
HSMs' and allow seamless access to the cryptographic token transparently
over network to their clients. As a result, IPA replicas will be able to
access the same content. I see that tpm2-pkcs11 has support for
link/import in ptool but as I said, nobody ever tried it all as a
pkcs#11 token for IPA use.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
