[keycloak-dev] Protecting/encrypting realm keys
Bruno Oliveira
bruno at abstractj.org
Tue Feb 16 05:06:00 EST 2016
My 2 cents here, I'd take a look at YubiHSM. Which has SDKs for Python
and Java (https://developers.yubico.com/Software_Projects/YubiHSM/)
and can be easily integrate with solutions like LinOTP
(https://linotp.org/doc/latest/part-management/securitymodule.html)
On Tue, Feb 16, 2016 at 3:07 AM, Adam Young <ayoung at redhat.com> wrote:
> On 02/09/2016 09:40 AM, John Dennis wrote:
>> On 02/08/2016 02:08 PM, Stian Thorgersen wrote:
>>> In essence the work would be to create a Encryption SPI and a default
>>> implementation. The default implementation would rely on the keys stored
>>> in the database. I'm not aware of any standard or libraries that can be
>>> used to communicate with HSM devices so I would imagine implementations
>>> for specific HSM vendors would have to be done by users themselves.
>> There are C libraries to support HSM devices. I think the big question
>> would be if they are Linux specific or not or if there are Java
>> bindings. I know the Certificate Server (i.e. Dogtag) that Red Hat ships
>> is written in Java and has HSM support. I also believe some of this is
>> in transition. I would suggest a conversation with Ade Lee
>> (alee at redhat.com) who would have more detailed information.
>
> So, wouldn't the abstraction be NSS, and the Binding be the TomcatNSS
> libraries?
>
>
>
>
>
>>
>> HTH,
>>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
- abstractj
More information about the keycloak-dev
mailing list