Re: [dm-crypt] LUKS + HSM

From: Ingo Franzki <ifranzki@linux.ibm.com>
To: "FERON,
	Laurent (SOGETI REGIONS SAS)" <laurent.feron.external@airbus.com>,
	"dm-crypt@saout.de" <dm-crypt@saout.de>
Subject: Re: [dm-crypt] LUKS + HSM
Date: Mon, 4 Nov 2019 15:24:42 +0100	[thread overview]
Message-ID: <8145e337-5694-41ac-b347-b42a03cb4ebf@linux.ibm.com> (raw)
In-Reply-To: <66a92cda384e4325bb5cacf59e0d77a2@DE0-44DAG04-P01.central.mail.corp>

On 04.11.2019 14:55, FERON, Laurent (SOGETI REGIONS SAS) wrote:
> Hello All
> Is it possible to use LUKS with an HSM? Apparently yes based on some pages on the Net, but it is not well explained how to proceed this integration (through P11).
> I would like a maximum crypto operations performed within the HSM without the any human operations.
> Which key can we use in the HSM (symmetric, asymmetric, or asymmetric with certificate)?
> Once done, is it possible to renew the keys? Etc ...
> If someone has already added a HSM for LUKS and can give advices it will help me a lot ... Thanks
> Laurent

Hi Laurent,

not sure if this is exactly what you are looking for, but there is a solution for sing secure keys (i.e. keys encrypted by a master key of an HSM) with dm-crypt for the IBM Z (s390x) architecture. 

It is making use of a special kernel cipher called 'paes' which can be used with dm-crypt transparently, but uses secure keys as input. Due to performance reasons it transforms the secure keys with the help of the HSM into so called protected keys, which is a similar concept as secure keys, just that a protected key is encrypted by a master key of the firmware, instead of the HSM. With that protected key, the paes cipher can then encrypt mass-data with the help of hardware crypto support of  IBM Z. You don't really want to encrypt mass-data with a secure key where you have to go to the HSM for each and every block of data to en/decrypt. This would not perform well for mass-data, such as for db-crypt.

More to read about that support for Linux on IBM Z:
https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lxdc/lxdc_linuxonz.html
http://www.vmworkshop.org/2019/present/lxendend.pdf

Kind regards, Ingo

> 
> The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
> If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
> Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
> All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
> 
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt
> 

-- 
Ingo Franzki
eMail: ifranzki@linux.ibm.com  
Tel: ++49 (0)7031-16-4648
Fax: ++49 (0)7031-16-3456
Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany

IBM Deutschland Research & Development GmbH / Vorsitzender des Aufsichtsrats: Matthias Hartmann
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294
IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/