[keycloak-dev] Protecting/encrypting realm keys

John Dennis jdennis at redhat.com
Tue Feb 9 09:40:38 EST 2016


On 02/08/2016 02:08 PM, Stian Thorgersen wrote:
> In essence the work would be to create a Encryption SPI and a default
> implementation. The default implementation would rely on the keys stored
> in the database. I'm not aware of any standard or libraries that can be
> used to communicate with HSM devices so I would imagine implementations
> for specific HSM vendors would have to be done by users themselves.

There are C libraries to support HSM devices. I think the big question 
would be if they are Linux specific or not or if there are Java 
bindings. I know the Certificate Server (i.e. Dogtag) that Red Hat ships 
is written in Java and has HSM support. I also believe some of this is 
in transition. I would suggest a conversation with Ade Lee 
(alee at redhat.com) who would have more detailed information.

HTH,

-- 
John


More information about the keycloak-dev mailing list