[keycloak-dev] Protecting/encrypting realm keys
Adam Young
ayoung at redhat.com
Tue Feb 16 00:07:20 EST 2016
On 02/09/2016 09:40 AM, John Dennis wrote:
> On 02/08/2016 02:08 PM, Stian Thorgersen wrote:
>> In essence the work would be to create a Encryption SPI and a default
>> implementation. The default implementation would rely on the keys stored
>> in the database. I'm not aware of any standard or libraries that can be
>> used to communicate with HSM devices so I would imagine implementations
>> for specific HSM vendors would have to be done by users themselves.
> There are C libraries to support HSM devices. I think the big question
> would be if they are Linux specific or not or if there are Java
> bindings. I know the Certificate Server (i.e. Dogtag) that Red Hat ships
> is written in Java and has HSM support. I also believe some of this is
> in transition. I would suggest a conversation with Ade Lee
> (alee at redhat.com) who would have more detailed information.
So, wouldn't the abstraction be NSS, and the Binding be the TomcatNSS
libraries?
>
> HTH,
>
More information about the keycloak-dev
mailing list