This Docker application supports smartcard key management tools for GPG and PKCS11. Its main purpose is to create a secure key managment environment by starting it from the PVZDLiveCD.
There is out-of-the box support for cards, such as:
-
SoftHSMv2 (default)
-
OpenPGP card
-
JavaCard with installed Muscle applet
-
other PKI smartcards supported by OpenSC
To install a proprieatary smart card driver create an image based on this one and include the driver installation in the Dockerfile. An example for Safenet eToken Pro is in the keymgmt-safenetac project.
Commands use PYKCS11LIB to point to the card driver. The default token is SoftHSMv2.
git clone https://github.com/identinetics/keymgmt cd keymgmt/ git submodule update --init cp conf.sh.default conf.sh ./dscripts/build.sh ./dscripts/run.sh -ipV bash /tests/test_hsm_token.sh
Some smartcard-based HSMs do not support the transfer of on-card generated keys to other devices. For those devices the approach is to generate keys off-card and upload the later. Doing this on an air-gapped LiveCD-based system is recommended then.
Example how to genrate keys and copy to card:
./dscripts/run.sh -i # start container if not yet running /scripts/x509_create_keys_on_disk.sh -n metadata -s /C=AT/ST=Wien/L=Wien/O=Testfirma/OU=IT/CN=localhost /scripts/pkcs11_key_to_token.sh -c metadata_crt.der -i -k metadata_key.der -l mdsign -n test -s Secret.2 -t Secret.1 -v
See the GPG-howto.
A cryptographically secure key splitting scheme for n out of n parties, e.g. with 3 parties:
secret-split -n 3 localhost_key_pkcs1.pem or secret-split --random-source /dev/urandom -n 3 localhost_key_pkcs1.pem # do not wait for entropy on /dev/random
To recover the original key:
secret-combine -o localhost_key_pkcs1.pem localhost_key_pkcs1.pem.part?
Plugging and unplugging readers and cards is not signalled to the application container. (This would need and improved dbus integration with the container.)
Starting haveged before using gpg may lead to an "signing failed: Operation cancelled" error. Workaround: Check available entropy before crypto ops:
cat /proc/sys/kernel/random/entropy_avail