>> Let me rephrase my question: what does using OpenSSL engines enable
>> that we can't already do via PKCS#11?
>
> It allows you to use the TPM2 as a secure key store, because there's no
> current PKCS11 code for it.
>
> The essential difference is that Engine files are just that: flat files
> where the key is stored in a form only decodeable by the engine.
> PKCS11 tokens are supposed to be represented by tokens and slots which
> is an active entity storing the key. So, provided I wrap it correctly,
> I can create a TPM representation on one system (I have to know one of
> the hierarchy seeds on the target) transfer the file to the target
> system and use it;…
What I don’t get is – why not transfer those keys to the target machine “somehow”, load them to the TPM there “somehow”, and then treat TPM as a PKCS#11 device?
If there’s no PKCS#11 “driver” for TPM – then that’s what needs to be added, IMHO.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
