[RFC 1/2] Add support for openssl engine based keys
Damien Miller
djm at mindrot.org
Fri Nov 3 19:25:48 AEDT 2017
On Thu, 2 Nov 2017, James Bottomley wrote:
> On Fri, 2017-11-03 at 13:11 +1100, Damien Miller wrote:
> > On Thu, 26 Oct 2017, James Bottomley wrote:
> >
> > >
> > > Engine keys are keys whose file format is understood by a specific
> > > engine rather than by openssl itself. Since these keys are file
> > > based, the pkcs11 interface isn't appropriate for them because they
> > > don't actually represent tokens.
> >
> > What sort of keys do you have in mind here that can't be represented
> > via PKCS#11?
>
> Well, the engine keys are flat files, so the usual use case is to take
> the private key file and replace it with an engine key file in the .ssh
> directory so the private key becomes tied to the hardware platform and
> cannot be usefully exfiltrated.
Let me rephrase my question: what does using OpenSSL engines enable
that we can't already do via PKCS#11?
-d
More information about the openssh-unix-dev
mailing list