On Thu, 2020-01-30 at 16:24 +0100, James Bottomley wrote: > Engine keys are keys whose file format is understood by a specific > engine rather than by openssl itself. Since these keys are file > based, the pkcs11 interface isn't appropriate for them because they > don't actually represent tokens. There is already tpm2-pkcs11 module which addresses the same use case in a standard way for TPM2: https://github.com/tpm2-software/tpm2-pkcs11 I do not think all the applications that want support for TPM2/engines should need to implement support for engines. Especially when the engines are to be replaced by a new providers interface in future OpenSSL releases: https://www.openssl.org/docs/OpenSSLStrategicArchitecture.html Regards, -- Jakub Jelen Senior Software Engineer Security Technologies Red Hat, Inc. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
