Re: [keycloak-dev] Protecting/encrypting realm keys
On 02/09/2016 09:40 AM, John Dennis wrote:
On 02/08/2016 02:08 PM, Stian Thorgersen wrote:
> In essence the work would be to create a Encryption SPI and a default
> implementation. The default implementation would rely on the keys stored
> in the database. I'm not aware of any standard or libraries that can be
> used to communicate with HSM devices so I would imagine implementations
> for specific HSM vendors would have to be done by users themselves.
There are C libraries to support HSM devices. I think the big question
would be if they are Linux specific or not or if there are Java
bindings. I know the Certificate Server (i.e. Dogtag) that Red Hat ships
is written in Java and has HSM support. I also believe some of this is
in transition. I would suggest a conversation with Ade Lee
(alee(a)redhat.com) who would have more detailed information.
So, wouldn't the abstraction be NSS, and the Binding be the TomcatNSS
libraries?
HTH,