search

NLnetLabs / krill

RPKI Certificate Authority and Publication Server written in Rust
https://nlnetlabs.nl/projects/routing/krill/
Mozilla Public License 2.0
294 stars 41 forks source link

Docker HSM support #574

Open ximon18 opened 3 years ago

ximon18 commented 3 years ago

Can a Docker container connect “out” to an HSM? Should we verify this and document this use case?

ties commented 3 years ago

For a nCipher HSM, a container can connect to a HSM. This is available through a (paid) container option pack - but it is also feasible to figure out on your own - I did so independently for a dev environment.

So I'd argue it is possible in theory (and mostly involves some socat). It probably involves a custom container per hsm type though.

ximon18 commented 2 years ago

So, now that the feature is released and we've done quite a bit of testing against various HSMs I note that HSM support from within a Docker container running Krill is not special in any way.

Connecting to an HSM using the KMIP TLS+TTLV protocol just requires network connectivity to wherever the KMIP capable HSM service is running.

Connecting to an HSM via PKCS#11 requires that the PKCS#11 library and any dependencies be available to the krill binary running inside the container and that any necessary setup for the PKCS#11 library having already been done, and that the library itself is able to connect out from the Docker container if necessary to wherever the HSM is running (in the case of SoftHSMv2 everything may be available inside the container running 'krill' itself), e.g. if the library has to make an outbound network connection it is up to the operator to ensure that that the container has access to the network, etc.

So I'd argue it is possible in theory (and mostly involves some socat). It probably involves a custom container per hsm type though.

@ties: What did you mean here by "custom container per hsm type"? Were you suggesting that someone (users or us) would need to bundle the necessary dependencies (e.g. PKCS#11 library and supporting libraries/files) into a HSM-variant-specific Docker image to work out-of-the-box with that particular HSM variant?

ties commented 2 years ago

@ties: What did you mean here by "custom container per hsm type"? Were you suggesting that someone (users or us) would need to bundle the necessary dependencies (e.g. PKCS#11 library and supporting libraries/files) into a HSM-variant-specific Docker image to work out-of-the-box with that particular HSM variant?

I expect that this is needed for some HSMs. Even when using PKCS#11, a daemon may be needed before a HSM can be used.

krill --[PKCS#11]--> HSM daemon --[network/ipc/syscalls]--> HSM device

I would leave this to the users though.