securing FAS certs

Mark Wormgoor mark at
Sat Aug 23 07:43:59 UTC 2008

Toshio Kuratomi schreef:
> Mike McGrath wrote:
>> On Thu, 21 Aug 2008, Ricky Zhou wrote:
>>> On 2008-08-21 02:21:34 PM, Mike McGrath wrote:
>>>> I've never actually used a crypto card... Do they add additional 
>>>> security
>>>> if they're sitting in a colo always plugged in?  If so how do they do
>>>> that?
>>> I might be wrong, but I think with such a card, encryption/signing takes
>>> place entirely on the card, and thus the secret key is never transferred
>>> anywhere off the card.
>> Ah, so the theory being that if someone happens to hit us, they're only
>> hitting us for as long as the machine is up / card is in.  And I assume
>> the card actually tracks serial numbers and things so we can revoke
>> anything that was signed in a questionable time?
> That seems like it would work well.  Jesse's been having troubles 
> obtaining the card he wants, though (and his is a gpg card, not for ssl 
> certificates).

Most of these cards work with OpenSSL just fine - though I'm not sure 
what additional hardware drivers are required to interface to the card.

All the card does is protect the private key from being obtained. When 
someone has (root) access to the machine, he can use the key for signing 
anyway. As such, an hsm should be connected only to a very secure 
machine, not running any other services and with highly restricted 
access. Connecting one to a Xen machine does not sound like a good idea :)

These keys are protected against hardware intrusion depending on their 
security level and will zero out the keys upon hardware tampering.

Kind regards,


More information about the Fedora-infrastructure-list mailing list