aboutsummaryrefslogtreecommitdiff
path: root/ks.c
diff options
context:
space:
mode:
authorRob Austein <sra@hactrn.net>2017-06-03 10:56:47 -0400
committerRob Austein <sra@hactrn.net>2017-06-03 10:56:47 -0400
commit61029eb57165c181497c09549cc2dd0fa9928f16 (patch)
tree497efa9d96e449afde9090ea5357592b069fd6d8 /ks.c
parent6a47490407210471afdd80f009123bd72014db3a (diff)
Add --soft-backup option to cryptech_backup.
cryptech_backup is designed to help the user transfer keys from one Cryptech HSM to another, but what is is a user who has no second HSM supposed to do for backup? The --soft-backup option enables a mode in which cryptech_backup generates its own KEKEK instead of getting one from the (nonexistent) target HSM. We make a best-effort attempt to keep this soft KEKEK secure, by wrapping it with a symmetric key derived from a passphrase, using AESKeyWrapWithPadding and PBKDF2, but there's a limit to what a software-only solution can do here. The --soft-backup code depends (heavily) on PyCrypto.
Diffstat (limited to 'ks.c')
0 files changed, 0 insertions, 0 deletions