diff options
author | Rob Austein <sra@hactrn.net> | 2017-06-03 10:56:47 -0400 |
---|---|---|
committer | Rob Austein <sra@hactrn.net> | 2017-06-03 20:22:30 -0400 |
commit | ebd6c702e4426370a278b95becba3afb83715c0a (patch) | |
tree | a0142a89dadad4c8c10f97cd8471d081e2dd8b3e /masterkey.h | |
parent | f67796b71895f43912a4cd30e9f894946023e811 (diff) |
Add --soft-backup option to cryptech_backup.
cryptech_backup is designed to help the user transfer keys from one
Cryptech HSM to another, but what is is a user who has no second HSM
supposed to do for backup? The --soft-backup option enables a mode in
which cryptech_backup generates its own KEKEK instead of getting one
from the (nonexistent) target HSM. We make a best-effort attempt to
keep this soft KEKEK secure, by wrapping it with a symmetric key
derived from a passphrase, using AESKeyWrapWithPadding and PBKDF2,
but there's a limit to what a software-only solution can do here.
The --soft-backup code depends (heavily) on PyCrypto.
Diffstat (limited to 'masterkey.h')
0 files changed, 0 insertions, 0 deletions