notaryproject / notary

Notary is a project that allows anyone to have trust over arbitrary collections of data
Apache License 2.0
3.23k stars 511 forks source link

Integrate with other HSMs #795

Open riyazdf opened 8 years ago

riyazdf commented 8 years ago

notary implements the PKCS11 interface so it should be possible to integrate to other HSMs such as CloudHSM and Nitrokey

lewiada-zz commented 8 years ago

So in theory this works but hasn't been tested? Will this work for targets / delegated targets keys, or only root keys? It would be nice for a CI/CD pipeline in AWS to be able to store delegated targets keys in cloud HSM and use that to have the pipeline sign image metadata.

riyazdf commented 8 years ago

Currently, hardware support for root keys in Notary has not been tested across different HSMs but should work "in theory" due to the standard pkcs11 interface.

@endophage can definitely speak more to what changes might need to be made to our pkcs11 code since he's been looking into this more actively.

Storing and signing with targets / delegated keys in yubikes isn't currently supported in Notary but is on the 1.0 roadmap https://github.com/docker/notary/issues/306

endophage commented 8 years ago

Riyaz is spot on. I've been told by other sources that it has been reasonably easy to modify notary to work with other HSMs in PoC situations. We're just starting to get this kind of real world interest in actually making it work so while I don't consider this issue as a blocker on releasing a 1.0, we may want to prioritise it for other reasons.

CloudHSM is of particular interest as we would likely also use it for some (not incl. root) of our official image signing keys. We'd happily accept community help on tweaking and testing the existing PKCS11 implementation that does have a couple of very Yubikey specific instructions (i.e. to enable touch to sign).

stafwag commented 4 years ago

There is even a PR that add support for other HSM's

1369

But this PR seem to be blocked...