Hi, On Sat, Oct 28, 2017 at 01:02:27PM +0100, James Bottomley wrote: > Engine keys are an openssl concept for a key file which can only be > understood by an engine (usually because it's been wrapped by the > engine itself). We use this for TPM engine keys, so you can either > generate them within your TPM or wrap them from existing private keys. > Once wrapped, the keys will only function in the TPM that generated > them, so it means the VPN keys are tied to the physical platform, which > is very useful. Engine keys have to be loaded via a specific callback, > so use this as a fallback in openvpn if an engine is specified and if > the PEM read of the private key fails.
How does this work in an OpenVPN context, as in, what do I have to do to make TPM keys work on client and server? Do we need a new abstraction layer here somewhere, given that this seems to do something similar to using the windows crypto layer to access "private keys hidden in windows" (--cryptoapicert) and/or pkcs11? I see more #ifdef in the code and this is usually a sign of "it will increase testing requirement, and we can't even test the abstraction if none of us has the hardware". But I leave the more specific discussion to Steffan and Antonio :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel