Hi, On Sat, Oct 28, 2017 at 01:02:27PM +0100, James Bottomley wrote: > Engine keys are an openssl concept for a key file which can only be > understood by an engine (usually because it's been wrapped by the > engine itself). We use this for TPM engine keys, so you can either > generate them within your TPM or wrap them from existing private keys. > Once wrapped, the keys will only function in the TPM that generated > them, so it means the VPN keys are tied to the physical platform, which > is very useful. Engine keys have to be loaded via a specific callback, > so use this as a fallback in openvpn if an engine is specified and if > the PEM read of the private key fails.
How does this work in an OpenVPN context, as in, what do I have to do
to make TPM keys work on client and server?
Do we need a new abstraction layer here somewhere, given that this
seems to do something similar to using the windows crypto layer to
access "private keys hidden in windows" (--cryptoapicert) and/or
pkcs11?
I see more #ifdef in the code and this is usually a sign of "it will
increase testing requirement, and we can't even test the abstraction if
none of us has the hardware".
But I leave the more specific discussion to Steffan and Antonio :-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany [email protected]
fax: +49-89-35655025 [email protected]
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
