[keycloak-dev] Protecting/encrypting realm keys

[Nagaraj,Vikas]

Hello,

We've been integrating Keycloak into one of our applications, and so far it's been a pretty good experience.  I'm looking now at how realms' signing keys are protected.  Currently Keycloak stores the private key in a database table, but we'd like to explore protecting it with a Hardware Security Module (HSM).

A couple of years ago there was a discussion on this list on this topic (thread starts here: https://lists.jboss.org/pipermail/keycloak-dev/2014-January/001124.html).  One suggestion was to have an EncryptionSpi interface that could be overridden to provide the desired crypto operations; another was to use a master key sourced from somewhere outside the DB to encrypt the private keys stored with the realm.  Has there been any discussion about either of these alternatives since?

I'm happy to help with the implementation, but would appreciate some guidance from more experienced Keycloak devs on the best way to go about it.

Thanks,

--
Vikas Nagaraj
vikas.nagaraj at safenet-inc.com<mailto:vikas.nagaraj at safenet-inc.com>




-- 
The information contained in this electronic mail transmission 
may be privileged and confidential, and therefore, protected 
from disclosure. If you have received this communication in 
error, please notify us immediately by replying to this 
message and deleting it from your computer without copying 
or disclosing it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160208/40dbe202/attachment.html