HostKey in hardware?

andrew cooke andrew at
Thu Nov 22 05:49:30 EST 2012


Is there any way to store HostKey in hardware (and delegate the related

I have been using Roumen Petrov's x509 patch for clients, which works via an
OpenSSL engine, but it does not seem to support server HostKey:

For PKCS#11, I have found an email on this list from a year back suggesting
this might happen
and there's also a mention in this talk but I can
find no evidence that anything has been implemented yet.

The hardware I am using (Spyrus Lynks II) doesn't have PKCS#11 support, so I
would prefer the OpenSSL route (since I already have an engine), but if
necessary I would consider writing a minimal PKCS#11 implementation (can
anyone give a rough idea of the amount of work involved to get HostKey
working, only?)

Anyway, any pointers would be appreciated.


More information about the openssh-unix-dev mailing list