[keycloak-dev] Protecting/encrypting realm keys
John Dennis
jdennis at redhat.com
Tue Feb 9 09:40:38 EST 2016
On 02/08/2016 02:08 PM, Stian Thorgersen wrote:
> In essence the work would be to create a Encryption SPI and a default
> implementation. The default implementation would rely on the keys stored
> in the database. I'm not aware of any standard or libraries that can be
> used to communicate with HSM devices so I would imagine implementations
> for specific HSM vendors would have to be done by users themselves.
There are C libraries to support HSM devices. I think the big question
would be if they are Linux specific or not or if there are Java
bindings. I know the Certificate Server (i.e. Dogtag) that Red Hat ships
is written in Java and has HSM support. I also believe some of this is
in transition. I would suggest a conversation with Ade Lee
(alee at redhat.com) who would have more detailed information.
HTH,
--
John
More information about the keycloak-dev
mailing list