On 15/10/2012, at 2:41 PM, Richard Lamb <[email protected]> wrote:
> Why not the tpm migration method? I. E. > > > The receiving hsm produces the public half of a master storage key. > Then the starting hsm "authorizes" the key for use for exporting with pomp > and circumstance ;-) > Then the starting hsm encrypts it's keys with this key (rsa) for transfer to > the receiving hsm. > Receiving hsm unwraps the key using its private key. > Done > Its not a 'standard' as I understand it. its a fine idea. Its pretty much what Steve Kent said people do, but I've found SafeNet went out of their way to make this hard. you have to do a wierd RSA key induction process by cosigning the RSA key with a 3DES as a cipher block chain then un=encode on the HSM, then re-bless they key for use as a masking/signing key, then use it to mask sign another key which has been flagged as suitable for export and at each stage, there are points where if you are in FIPS mode it can wipe because you said you wouldn't do that... its really ugly. migration to another safenet? easy-as: bless it with the same security officer key, put it in the same 'domain' and just copy the damn keys over -G _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
