On 2022-12-22 11:15:57 +0100, Rainer Duffner wrote: > > > Am 22.12.2022 um 10:46 schrieb Peter J. Holzer <[email protected]>: > > If the hacker has root access: What prevents them from talking to the > HSM? > > > > I wasn’t involved in setting it up here, but AFAIK you need to „enroll“ the > client to the HSM. > > That is a one-time process that requires HSM credentials (via certificates and > pass-phrases). > > Then, that client can talk to the HSM.
Which means that some sort of access-token is stored on the client.
So what prevents a hacker from using that access token?
> The HSM-client is (or should be) engineered in such a way that you can’t
> extract the encryption-secret easily.
Security by obscurity? Just hope that nobody figures out how that access
token is stored? That doesn't seem like a good strategy against
high-level threats.
hp
--
_ | Peter J. Holzer | Story must make more sense than reality.
|_|_) | |
| | | [email protected] | -- Charles Stross, "Creative writing
__/ | http://www.hjp.at/ | challenge!"
signature.asc
Description: PGP signature
