On 6 feb 2014, at 08:03, Matthijs Mekking <[email protected]> wrote on
OpenDNSSEC-develop:
> During the OpenDNSSEC tutorial, I one of the attendants asked me if USB
> or PCI-based HSM worked well with virtualization, for example, to deploy
> an HSM to a host and run a bunch of virtual servers to provide the
> signing service to different "customers". Do you have any experience
> around that topic? Feel free to discuss the idea internally.
Passthrough would only work for one virtual server at a time, so sharing would
not be very useful.
I would look into a PKCS#11 proxy [1] instead, basically creating your own
networked HSM with a USB/PCI backend.
However, the "customers" would need to trust each somewhat, as they actually
share tokens within the same HSM.
jakob
[1] https://github.com/SUNET/pkcs11-proxy
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
