That may not be strictly true going forward - in particular, the combination of the keyctl API (see "trusted keys"[1]) and the "trusted kernel" work[2] (or possibly whatever name Phoronix comes up with if someone thinks Matthew Garrett is bluffing) mean that "known to the kernel" == "accessible to root" may not always hold. An alternate dmsetup syntax that uses a key in a kernel-side keyring might be all that's needed for such a thing. [1] https://git.kernel.org/cgit/linux/kernel/git/rusty/linux.git/tree/Documentation/security/keys-trusted-encrypted.txt [2] http://thread.gmane.org/gmane.linux.kernel/1656312 Arno Wagner wrote: > Hi, > > you cannot protect the encryption keys in an HSM. To be effective, > they need to be known to the kernel and are hence exposed to > root, see also FAQ Item 6.10. This is a fundamental limitation > of software-nased encryption. > > Or maybe you want to _store_ the _passphrases_ in an HSM when not > in use? In that case youmay want to feed them to cryptsetup via > stdin, as described in the man-page. > > Arno > > > > On Thu, Mar 06, 2014 at 08:17:59 CET, Sharma, Manjari wrote: >> Hi Cryptsetup team, >> >> This is Manjari Sharma from SafeNet. SafeNet is the largest company >> exclusively focused on the protection of high-value information assets. >> I'm trying to integrate our HSM with LUKS so that the encryption keys are >> protected in an HSM. >> >> Could you please help to provide some pointer. I could not find anything >> relevant after searching for hours, all I can be assured of is that it >> can be done. >> >> Your help would be highly appreciated. >> >> Thanks, >> >> Kind Regards, >> Manjari >> >> The information contained in this electronic mail transmission >> may be privileged and confidential, and therefore, protected >> from disclosure. If you have received this communication in >> error, please notify us immediately by replying to this >> message and deleting it from your computer without copying >> or disclosing it. >> >> > >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@xxxxxxxx >> http://www.saout.de/mailman/listinfo/dm-crypt > > _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
