diff options
author | Rob Austein <sra@hactrn.net> | 2017-06-03 10:56:47 -0400 |
---|---|---|
committer | Rob Austein <sra@hactrn.net> | 2017-06-03 10:56:47 -0400 |
commit | 61029eb57165c181497c09549cc2dd0fa9928f16 (patch) | |
tree | 497efa9d96e449afde9090ea5357592b069fd6d8 /ks.c | |
parent | 6a47490407210471afdd80f009123bd72014db3a (diff) |
Add --soft-backup option to cryptech_backup.
cryptech_backup is designed to help the user transfer keys from one
Cryptech HSM to another, but what is is a user who has no second HSM
supposed to do for backup? The --soft-backup option enables a mode in
which cryptech_backup generates its own KEKEK instead of getting one
from the (nonexistent) target HSM. We make a best-effort attempt to
keep this soft KEKEK secure, by wrapping it with a symmetric key
derived from a passphrase, using AESKeyWrapWithPadding and PBKDF2,
but there's a limit to what a software-only solution can do here.
The --soft-backup code depends (heavily) on PyCrypto.
Diffstat (limited to 'ks.c')
0 files changed, 0 insertions, 0 deletions