Skip to content

identinetics/keymgmt

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

150 Commits

didi

didi

 
 

docs

docs

 
 

dscripts @ 90e0b81

dscripts @ 90e0b81

 
 

install

install

 
 

.gitignore

.gitignore

 
 

.gitmodules

.gitmodules

 
 

Dockerfile

Dockerfile

 
 

Jenkinsfile.gpg

Jenkinsfile.gpg

 
 

Jenkinsfile.p11

Jenkinsfile.p11

 
 

README.adoc

README.adoc

 
 

REPO_STATUS

REPO_STATUS

 
 

conf.sh.default

conf.sh.default

 
 

Repository files navigation

Key Management App for LiveCD

Table of Contents

This Docker application supports smartcard key management tools for GPG and PKCS11. Its main purpose is to create a secure key managment environment by starting it from the PVZDLiveCD.

1. Supported Smart Cards

There is out-of-the box support for cards, such as:

  • SoftHSMv2 (default)

  • OpenPGP card

  • JavaCard with installed Muscle applet

  • other PKI smartcards supported by OpenSC

To install a proprieatary smart card driver create an image based on this one and include the driver installation in the Dockerfile. An example for Safenet eToken Pro is in the keymgmt-safenetac project.

Commands use PYKCS11LIB to point to the card driver. The default token is SoftHSMv2.

2. Quick start for PKCS#11

git clone https://github.com/identinetics/keymgmt
cd keymgmt/
git submodule update --init
cp conf.sh.default conf.sh
./dscripts/build.sh
./dscripts/run.sh -ipV bash
    /tests/test_hsm_token.sh

3. RSA key generation for PKCS#11

Some smartcard-based HSMs do not support the transfer of on-card generated keys to other devices. For those devices the approach is to generate keys off-card and upload the later. Doing this on an air-gapped LiveCD-based system is recommended then.

3.1. Key-to-card approach

Example how to genrate keys and copy to card:

./dscripts/run.sh -i  # start container if not yet running
/scripts/x509_create_keys_on_disk.sh -n metadata -s /C=AT/ST=Wien/L=Wien/O=Testfirma/OU=IT/CN=localhost
/scripts/pkcs11_key_to_token.sh -c metadata_crt.der -i -k metadata_key.der -l mdsign -n test -s Secret.2 -t Secret.1 -v

3.2. Key-on-card approach

/scripts/pkcs11_key_to_token.sh -c metadata_crt.der -i -k metadata_key.der -l mdsign -n test -s Secret.2 -t Secret.1 -v

4. GPG Support

See the GPG-howto.

5. Key Archiving Tools

5.1. N out of N Key Splitting

A cryptographically secure key splitting scheme for n out of n parties, e.g. with 3 parties:

secret-split -n 3 localhost_key_pkcs1.pem
   or
secret-split --random-source /dev/urandom -n 3 localhost_key_pkcs1.pem  # do not wait for entropy on /dev/random

To recover the original key:

secret-combine -o localhost_key_pkcs1.pem localhost_key_pkcs1.pem.part?

5.2. Print Key as QR-Code

# generate eps
cat localhost_key_pkcs1.pem | base64 | qrencode –o localhost_key_pkcs1.png
# spool to default printer: move file to docker host, spool from there

Print QR-code (e.g. using Libre Office), a SHA256 checksum and the related public key.

6. Known Limitations

Plugging and unplugging readers and cards is not signalled to the application container. (This would need and improved dbus integration with the container.)

Starting haveged before using gpg may lead to an "signing failed: Operation cancelled" error. Workaround: Check available entropy before crypto ops:

cat /proc/sys/kernel/random/entropy_avail

About

docker image with gpg

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages