Am 29.10.17 um 16:24 schrieb Gert Doering: > Hi, > > On Sat, Oct 28, 2017 at 01:02:27PM +0100, James Bottomley wrote: >> Engine keys are an openssl concept for a key file which can only be >> understood by an engine (usually because it's been wrapped by the >> engine itself). We use this for TPM engine keys, so you can either >> generate them within your TPM or wrap them from existing private keys. >> Once wrapped, the keys will only function in the TPM that generated >> them, so it means the VPN keys are tied to the physical platform, which >> is very useful. Engine keys have to be loaded via a specific callback, >> so use this as a fallback in openvpn if an engine is specified and if >> the PEM read of the private key fails. > > How does this work in an OpenVPN context, as in, what do I have to do > to make TPM keys work on client and server? > > Do we need a new abstraction layer here somewhere, given that this > seems to do something similar to using the windows crypto layer to > access "private keys hidden in windows" (--cryptoapicert) and/or > pkcs11? > > I see more #ifdef in the code and this is usually a sign of "it will > increase testing requirement, and we can't even test the abstraction if > none of us has the hardware". > > But I leave the more specific discussion to Steffan and Antonio :-)
As a sidenote, OpenVPN itself implements its own "engine" (with the older pre engine RSA_method) to allow management-external-keys. Unifying that would be nice but is probably a lot of work, especially since OpenVPN engine is not so straightforward to implement. Arne ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
