Re: [keycloak-dev] Protecting/encrypting realm keys
On 02/08/2016 02:08 PM, Stian Thorgersen wrote:
In essence the work would be to create a Encryption SPI and a
default
implementation. The default implementation would rely on the keys stored
in the database. I'm not aware of any standard or libraries that can be
used to communicate with HSM devices so I would imagine implementations
for specific HSM vendors would have to be done by users themselves.
There are C libraries to support HSM devices. I think the big question
would be if they are Linux specific or not or if there are Java
bindings. I know the Certificate Server (i.e. Dogtag) that Red Hat ships
is written in Java and has HSM support. I also believe some of this is
in transition. I would suggest a conversation with Ade Lee
(alee(a)redhat.com) who would have more detailed information.
HTH,
--
John