On Thu, 2 Nov 2017, James Bottomley wrote: > On Fri, 2017-11-03 at 13:11 +1100, Damien Miller wrote: > > On Thu, 26 Oct 2017, James Bottomley wrote: > > > > > > > > Engine keys are keys whose file format is understood by a specific > > > engine rather than by openssl itself. Since these keys are file > > > based, the pkcs11 interface isn't appropriate for them because they > > > don't actually represent tokens. > > > > What sort of keys do you have in mind here that can't be represented > > via PKCS#11? > > Well, the engine keys are flat files, so the usual use case is to take > the private key file and replace it with an engine key file in the .ssh > directory so the private key becomes tied to the hardware platform and > cannot be usefully exfiltrated. Let me rephrase my question: what does using OpenSSL engines enable that we can't already do via PKCS#11? -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev