[PATCH 1/2] Add support for openssl engine based keys

Damien Miller djm at mindrot.org
Fri Jan 31 10:02:23 AEDT 2020

On Thu, 30 Jan 2020, James Bottomley wrote:

> Engine keys are keys whose file format is understood by a specific
> engine rather than by openssl itself.  Since these keys are file
> based, the pkcs11 interface isn't appropriate for them because they
> don't actually represent tokens.  The current most useful engine for
> openssh keys are the TPM engines, which allow all private keys to be
> stored in a form only the TPM hardware can decode, making them
> impossible to steal.

I think this is similar enough to the FIDO key support that we
recently added to OpenSSH that it would be best to reuse those
interfaces for these keys. FIDO keys are file based as well - the
enrollment/generation process returns a "key handle" that we bundle
up in a private key and that needs to be supplied when signing.

Have a look at regress/misc/sk-dummy/sk-dummy.c in portable OpenSSH
for a dummy version of the API that just calls out to libcrypto.


More information about the openssh-unix-dev mailing list