Age | Commit message (Collapse) | Author | |
---|---|---|---|
2020-09-06 | Can't write bytes to JSON, only str | Rob Austein | |
2020-07-13 | Whack all Python shebangs to Python 3 | Rob Austein | |
2020-05-26 | Wow, python-version-independent hexadecimal is painful | Rob Austein | |
2020-05-25 | Untested conversion to support Python 3 | Rob Austein | |
2017-06-03 | Add --soft-backup option to cryptech_backup. | Rob Austein | |
cryptech_backup is designed to help the user transfer keys from one Cryptech HSM to another, but what is is a user who has no second HSM supposed to do for backup? The --soft-backup option enables a mode in which cryptech_backup generates its own KEKEK instead of getting one from the (nonexistent) target HSM. We make a best-effort attempt to keep this soft KEKEK secure, by wrapping it with a symmetric key derived from a passphrase, using AESKeyWrapWithPadding and PBKDF2, but there's a limit to what a software-only solution can do here. The --soft-backup code depends (heavily) on PyCrypto. | |||
2017-04-14 | Clean up and document cryptech_backup. | Rob Austein | |
2017-04-14 | Python interface API will need to be cryptech.libhal for installation. | Rob Austein | |
2017-04-11 | API cleanup: pkey_open() and pkey_match(). | Rob Austein | |
pkey_open() now looks in both keystores rather than requiring the user to know. The chance of collision with randomly-generated UUID is low enough that we really ought to be able to present a single namespace. So now we do. pkey_match() now takes a couple of extra arguments which allow a single search to cover both keystores, as well as matching for specific key flags. The former interface was pretty much useless for anything involving flags, and required the user to issue a separate call for each keystore. User wheel is now exempt from the per-session key lookup constraints, Whether this is a good idea or not is an interesting question, but the whole PKCS #11 derived per-session key thing is weird to begin with, and having keystore listings on the console deliberately ignore session keys was just too confusing. | |||
2017-04-09 | First cut at HSM backup script. | Rob Austein | |