aboutsummaryrefslogtreecommitdiff
path: root/cryptech_muxd
diff options
context:
space:
mode:
authorRob Austein <sra@hactrn.net>2017-06-03 10:56:47 -0400
committerRob Austein <sra@hactrn.net>2017-06-03 20:22:30 -0400
commitebd6c702e4426370a278b95becba3afb83715c0a (patch)
treea0142a89dadad4c8c10f97cd8471d081e2dd8b3e /cryptech_muxd
parentf67796b71895f43912a4cd30e9f894946023e811 (diff)
Add --soft-backup option to cryptech_backup.
cryptech_backup is designed to help the user transfer keys from one Cryptech HSM to another, but what is is a user who has no second HSM supposed to do for backup? The --soft-backup option enables a mode in which cryptech_backup generates its own KEKEK instead of getting one from the (nonexistent) target HSM. We make a best-effort attempt to keep this soft KEKEK secure, by wrapping it with a symmetric key derived from a passphrase, using AESKeyWrapWithPadding and PBKDF2, but there's a limit to what a software-only solution can do here. The --soft-backup code depends (heavily) on PyCrypto.
Diffstat (limited to 'cryptech_muxd')
0 files changed, 0 insertions, 0 deletions