12:47 p.m.
Hello,
We've been integrating Keycloak into one of our applications, and so far it's been
a pretty good experience. I'm looking now at how realms' signing keys are
protected. Currently Keycloak stores the private key in a database table, but we'd
like to explore protecting it with a Hardware Security Module (HSM).
A couple of years ago there was a discussion on this list on this topic (thread starts
here: https://lists.jboss.org/pipermail/keycloak-dev/2014-January/001124.html). One
suggestion was to have an EncryptionSpi interface that could be overridden to provide the
desired crypto operations; another was to use a master key sourced from somewhere outside
the DB to encrypt the private keys stored with the realm. Has there been any discussion
about either of these alternatives since?
I'm happy to help with the implementation, but would appreciate some guidance from
more experienced Keycloak devs on the best way to go about it.
Thanks,
--
Vikas Nagaraj
vikas.nagaraj@safenet-inc.com<mailto:vikas.nagaraj@safenet-inc.com>
--
The information contained in this electronic mail transmission
may be privileged and confidential, and therefore, protected
from disclosure. If you have received this communication in
error, please notify us immediately by replying to this
message and deleting it from your computer without copying
or disclosing it.
1:08 p.m.
We have briefly discussed HSM some more, but as you are the first to ask
about it we haven't made it a priority. We would certainly be interested in
a contribution towards it. It's a fairly big task and we would also need
decent test coverage for it.
In essence the work would be to create a Encryption SPI and a default
implementation. The default implementation would rely on the keys stored in
the database. I'm not aware of any standard or libraries that can be used
to communicate with HSM devices so I would imagine implementations for
specific HSM vendors would have to be done by users themselves.
As well as encryption/signature methods you would also have to deal with
how to retrieve the public key to display in the admin console and the
providers would also have to be able to tell Keycloak if they can generate
new keys or not. For providers that can generate new keys we would have the
option on the admin console to generate new realm keys, but for others not.
If you are interested let us know. As a heads up this could not be included
until 2.x.
On 8 February 2016 at 19:47, Nagaraj,Vikas <Vikas.Nagaraj(a)safenet-inc.com>
wrote:
Hello,
We’ve been integrating Keycloak into one of our applications, and so far
it’s been a pretty good experience. I’m looking now at how realms’ signing
keys are protected. Currently Keycloak stores the private key in a
database table, but we’d like to explore protecting it with a Hardware
Security Module (HSM).
A couple of years ago there was a discussion on this list on this topic
(thread starts here:
*https://lists.jboss.org/pipermail/keycloak-dev/2014-January/001124.html*
<https://lists.jboss.org/pipermail/keycloak-dev/2014-January/001124.html>).
One suggestion was to have an EncryptionSpi interface that could be
overridden to provide the desired crypto operations; another was to use a
master key sourced from somewhere outside the DB to encrypt the private
keys stored with the realm. Has there been any discussion about either of
these alternatives since?
I’m happy to help with the implementation, but would appreciate some
guidance from more experienced Keycloak devs on the best way to go about it.
Thanks,
--
Vikas Nagaraj
*vikas.nagaraj(a)safenet-inc.com* <vikas.nagaraj(a)safenet-inc.com>
The information contained in this electronic mail transmission
may be privileged and confidential, and therefore, protected
from disclosure. If you have received this communication in
error, please notify us immediately by replying to this
message and deleting it from your computer without copying
or disclosing it.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8:40 a.m.
On 02/08/2016 02:08 PM, Stian Thorgersen wrote:
In essence the work would be to create a Encryption SPI and a
default
implementation. The default implementation would rely on the keys stored
in the database. I'm not aware of any standard or libraries that can be
used to communicate with HSM devices so I would imagine implementations
for specific HSM vendors would have to be done by users themselves.
There are C libraries to support HSM devices. I think the big question
would be if they are Linux specific or not or if there are Java
bindings. I know the Certificate Server (i.e. Dogtag) that Red Hat ships
is written in Java and has HSM support. I also believe some of this is
in transition. I would suggest a conversation with Ade Lee
(alee(a)redhat.com) who would have more detailed information.
HTH,
--
John
11:56 a.m.
Hi John,
The SafeNet HSM has Java bindings via the JCE interface, as does Thales. I know less
about HSMs from other vendors, but I believe most of them support Java via the
Pkcs11Provider.
--vikas
-----Original Message-----
From: John Dennis [mailto:jdennis@redhat.com]
Sent: February-09-16 9:41 AM
To: stian(a)redhat.com; Nagaraj,Vikas
Cc: keycloak-dev(a)lists.jboss.org
Subject: Re: [keycloak-dev] Protecting/encrypting realm keys
There are C libraries to support HSM devices. I think the big question would be if they
are Linux specific or not or if there are Java bindings. I know the Certificate Server
(i.e. Dogtag) that Red Hat ships is written in Java and has HSM support. I also believe
some of this is in transition. I would suggest a conversation with Ade Lee
(alee(a)redhat.com) who would have more detailed information.
HTH,
--
John
--
The information contained in this electronic mail transmission
may be privileged and confidential, and therefore, protected
from disclosure. If you have received this communication in
error, please notify us immediately by replying to this
message and deleting it from your computer without copying
or disclosing it.
11:07 p.m.
On 02/09/2016 09:40 AM, John Dennis wrote:
On 02/08/2016 02:08 PM, Stian Thorgersen wrote:
> In essence the work would be to create a Encryption SPI and a default
> implementation. The default implementation would rely on the keys stored
> in the database. I'm not aware of any standard or libraries that can be
> used to communicate with HSM devices so I would imagine implementations
> for specific HSM vendors would have to be done by users themselves.
There are C libraries to support HSM devices. I think the big question
would be if they are Linux specific or not or if there are Java
bindings. I know the Certificate Server (i.e. Dogtag) that Red Hat ships
is written in Java and has HSM support. I also believe some of this is
in transition. I would suggest a conversation with Ade Lee
(alee(a)redhat.com) who would have more detailed information.
So, wouldn't the abstraction be NSS, and the Binding be the TomcatNSS
libraries?
HTH,
4:06 a.m.
My 2 cents here, I'd take a look at YubiHSM. Which has SDKs for Python
and Java (https://developers.yubico.com/Software_Projects/YubiHSM/)
and can be easily integrate with solutions like LinOTP
(https://linotp.org/doc/latest/part-management/securitymodule.html)
On Tue, Feb 16, 2016 at 3:07 AM, Adam Young <ayoung(a)redhat.com> wrote:
On 02/09/2016 09:40 AM, John Dennis wrote:
> On 02/08/2016 02:08 PM, Stian Thorgersen wrote:
>> In essence the work would be to create a Encryption SPI and a default
>> implementation. The default implementation would rely on the keys stored
>> in the database. I'm not aware of any standard or libraries that can be
>> used to communicate with HSM devices so I would imagine implementations
>> for specific HSM vendors would have to be done by users themselves.
> There are C libraries to support HSM devices. I think the big question
> would be if they are Linux specific or not or if there are Java
> bindings. I know the Certificate Server (i.e. Dogtag) that Red Hat ships
> is written in Java and has HSM support. I also believe some of this is
> in transition. I would suggest a conversation with Ade Lee
> (alee(a)redhat.com) who would have more detailed information.
So, wouldn't the abstraction be NSS, and the Binding be the TomcatNSS
libraries?
>
> HTH,
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
- abstractj
3119
days inactive
3127
days old
5 comments
5 participants
participants (5)
-
Adam Young -
Bruno Oliveira -
John Dennis -
Nagaraj,Vikas -
Stian Thorgersen