I guess I'll just disallow storing sensitive key material on the RA altogether and let the CA handle this. Additionaly, I'll look into making the CA to email stuff to the users encrypted via S/MIME if they request it. I can't code in Perl, but I hope this could be achievable via some bash-fu :-)
But I'm getting a bit ahead of myself, I'll try importing my existing CAs to OpenXPKI first and doing some more sane stuff first. Thank you for your time! Jan > On 25 Feb 2017, at 22:53, Oliver Welter <[email protected]> wrote: > > Am 25.02.2017 um 21:40 schrieb Jan Schermer: >> >>> The datasafe token is used to encrypt data written to the >>> "datapool" table - its the classic "sandwich" with asymmetric >>> encryption, we generate a symmetric key to encrypt the payload and >>> encrypt the key with the asymetric token. >> >> So datapool contains raw private keys if I generate them on the CA? I >> found finished downloads (PKCS12 etc.) in workflow_context table >> (presumably encrypted with the user-supplied password and ready to >> download), but I wondered where the keys initially were stored. Looks >> like prime candidate to not have accessible on the RA. I guess this >> comes to policy of where/who/what should be able to do, so I'll have >> to think about this some more. > Yes and no - it all depends on your workflows. The default workflow generates > a private key as PEM encoded block, encrypted with the password supplied by > the user (which can be either a "real" user password or a random string > generated by the server). This data is then wrapped with the datasafe token > to prevent brute force against data leaked form the database. > > You must make this data available and decryptable on the RA in order to allow > a user to download it or provide the keys to the user out of band from the > CA. The download workflows you have in the system should not contain any > sensitive data - just some pointers to the key material which is unwrapped > and send to the browser in the moment the user requests it. > > Oliver > > > -- > Protect your environment - close windows and adopt a penguin! > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! > http://sdm.link/slashdot_______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
