[keycloak-dev] Protecting/encrypting realm keys

Stian Thorgersen sthorger at redhat.com
Mon Feb 8 14:08:42 EST 2016 

We have briefly discussed HSM some more, but as you are the first to ask
about it we haven't made it a priority. We would certainly be interested in
a contribution towards it. It's a fairly big task and we would also need
decent test coverage for it.

In essence the work would be to create a Encryption SPI and a default
implementation. The default implementation would rely on the keys stored in
the database. I'm not aware of any standard or libraries that can be used
to communicate with HSM devices so I would imagine implementations for
specific HSM vendors would have to be done by users themselves.

As well as encryption/signature methods you would also have to deal with
how to retrieve the public key to display in the admin console and the
providers would also have to be able to tell Keycloak if they can generate
new keys or not. For providers that can generate new keys we would have the
option on the admin console to generate new realm keys, but for others not.

If you are interested let us know. As a heads up this could not be included
until 2.x.


On 8 February 2016 at 19:47, Nagaraj,Vikas <Vikas.Nagaraj at safenet-inc.com>
wrote:

> Hello,
>
> We’ve been integrating Keycloak into one of our applications, and so far
> it’s been a pretty good experience.  I’m looking now at how realms’ signing
> keys are protected.  Currently Keycloak stores the private key in a
> database table, but we’d like to explore protecting it with a Hardware
> Security Module (HSM).
>
> A couple of years ago there was a discussion on this list on this topic
> (thread starts here:
> *https://lists.jboss.org/pipermail/keycloak-dev/2014-January/001124.html*
> <https://lists.jboss.org/pipermail/keycloak-dev/2014-January/001124.html>).
> One suggestion was to have an EncryptionSpi interface that could be
> overridden to provide the desired crypto operations; another was to use a
> master key sourced from somewhere outside the DB to encrypt the private
> keys stored with the realm.  Has there been any discussion about either of
> these alternatives since?
>
> I’m happy to help with the implementation, but would appreciate some
> guidance from more experienced Keycloak devs on the best way to go about it.
>
> Thanks,
>
> --
> Vikas Nagaraj
> *vikas.nagaraj at safenet-inc.com* <vikas.nagaraj at safenet-inc.com>
>
>
>
>
> The information contained in this electronic mail transmission
> may be privileged and confidential, and therefore, protected
> from disclosure. If you have received this communication in
> error, please notify us immediately by replying to this
> message and deleting it from your computer without copying
> or disclosing it.
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160208/5ccfac39/attachment.html

More information about the keycloak-dev mailing list