<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Calibri, sans-serif" size="2">
<div>Hello,</div>
<div> </div>
<div>We’ve been integrating Keycloak into one of our applications, and so far it’s been a pretty good experience. I’m looking now at how realms’ signing keys are protected. Currently Keycloak stores the private key in a database table, but we’d like to explore
protecting it with a Hardware Security Module (HSM).</div>
<div> </div>
<div>A couple of years ago there was a discussion on this list on this topic (thread starts here: <a href="https://lists.jboss.org/pipermail/keycloak-dev/2014-January/001124.html"><font color="#0000FF"><u>https://lists.jboss.org/pipermail/keycloak-dev/2014-January/001124.html</u></font></a>).
One suggestion was to have an EncryptionSpi interface that could be overridden to provide the desired crypto operations; another was to use a master key sourced from somewhere outside the DB to encrypt the private keys stored with the realm. Has there been
any discussion about either of these alternatives since?</div>
<div> </div>
<div>I’m happy to help with the implementation, but would appreciate some guidance from more experienced Keycloak devs on the best way to go about it.</div>
<div> </div>
<div>Thanks,</div>
<div> </div>
<div>-- </div>
<div>Vikas Nagaraj</div>
<div><a href="mailto:vikas.nagaraj@safenet-inc.com"><font color="#0000FF"><u>vikas.nagaraj@safenet-inc.com</u></font></a></div>
<div> </div>
<div> </div>
<div> </div>
</font>
</body>
</html>
<br>
The information contained in this electronic mail transmission <br/>may be privileged and confidential, and therefore, protected <br/>from disclosure. If you have received this communication in <br/>error, please notify us immediately by replying to this <br/>message and deleting it from your computer without copying <br/>or disclosing it.<br/><br/>