Integrate with other HSMs

[riyazdf]

notary implements the PKCS11 interface so it should be possible to integrate to other HSMs such as CloudHSM and Nitrokey

[lewiada-zz]

So in theory this works but hasn't been tested? Will this work for targets / delegated targets keys, or only root keys? It would be nice for a CI/CD pipeline in AWS to be able to store delegated targets keys in cloud HSM and use that to have the pipeline sign image metadata.

[riyazdf]

Currently, hardware support for root keys in Notary has not been tested across different HSMs but should work "in theory" due to the standard pkcs11 interface.

@endophage can definitely speak more to what changes might need to be made to our pkcs11 code since he's been looking into this more actively.

Storing and signing with targets / delegated keys in yubikes isn't currently supported in Notary but is on the 1.0 roadmap https://github.com/docker/notary/issues/306

[endophage]

Riyaz is spot on. I've been told by other sources that it has been reasonably easy to modify notary to work with other HSMs in PoC situations. We're just starting to get this kind of real world interest in actually making it work so while I don't consider this issue as a blocker on releasing a 1.0, we may want to prioritise it for other reasons.

CloudHSM is of particular interest as we would likely also use it for some (not incl. root) of our official image signing keys. We'd happily accept community help on tweaking and testing the existing PKCS11 implementation that does have a couple of very Yubikey specific instructions (i.e. to enable touch to sign).

[stafwag]

There is even a PR that add support for other HSM's

1369

But this PR seem to be blocked...