>> Let me rephrase my question: what does using OpenSSL engines enable >> that we can't already do via PKCS#11? > > It allows you to use the TPM2 as a secure key store, because there's no > current PKCS11 code for it. > > The essential difference is that Engine files are just that: flat files > where the key is stored in a form only decodeable by the engine. > PKCS11 tokens are supposed to be represented by tokens and slots which > is an active entity storing the key. So, provided I wrap it correctly, > I can create a TPM representation on one system (I have to know one of > the hierarchy seeds on the target) transfer the file to the target > system and use it;… What I don’t get is – why not transfer those keys to the target machine “somehow”, load them to the TPM there “somehow”, and then treat TPM as a PKCS#11 device? If there’s no PKCS#11 “driver” for TPM – then that’s what needs to be added, IMHO.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev