You can use a keystore on disk, but this inherently insecure, as people with administrator access to the machine, can copy the keystore. Using an external device (such as a USB Hardware Security Module) as a keystore, is more secure as you need physical access to the machine to physically access the keystore. If you have 3 failed attempts to access the keystore using a PIN code, the device locks up.
I found this document a good high level introduction to smart keys.
This post describes the initial set up for using the Hardware Security Module from Nitrokey for securely storing my digital certificates. It comes as a USB device. I chose it because it cost under 80 euros. There are other suppliers, such as yubico , and other suppliers but either they did not supply a price, or it was “call us and to discuss it”.
The Nitrokey HSM is open sourced, and uses open source facilities.
Software needed to use the key.
My machine is Linux Ubuntu 18.04.
You need software installed to configure it.
sudo apt install opensc pcscd pcsc-tools
To be able to use openssl you need an “engine” interface.
sudo apt install libengine-pkcs11-openssl
Once install you need to start it
sudo systemctl start pcscd
sudo systemctl status pcscd
● pcscd.service – PC/SC Smart Card Daemon
Loaded: loaded (/lib/systemd/system/pcscd.service; indirect; vendor preset: enabled)
Active: active (running) since Tue 2021-03-02 08:49:27 GMT; 2s ago
#Detected readers (pcsc) Nr. Card Features Name 0 Yes Nitrokey Nitrokey HSM (DENK01051600000 ) 00 00
This shows the card is in
- slot number 0. You may need this number when configuring keys, for example in openssl. This number is like a USB port number.
- it is a physical card
- it has no features listed
- it comes from NitroKey and is a Hardware Security Module with the given serial number.
The device has
- a device pin (SO-PIN) which is needed for administration, such as reinitialising the device or setting a user pin. This is 16 hex characters
- a user pin to allow users access to modify keys. The user pin is a 6-15 digit string.
You need to consider how you use your device. You can have it self contained, and the private information is private to the device. This may be acceptable for a test device, but not in production, where you want to securely backup the keystore, and securely shared the key store between different machines. This can be done using Device Key Encryption Key (DKEK). The DKEK key is a 256-Bit AES key.
You can configure this so that you need more than one person to be able to enable a new device with this DKEK. You can configure n out of m people are needed. This is described here under Using key backup and restore.
You can use sc-hsm-tool – smart card utility for SmartCard-HSM, to
- Initialize token, removing all existing keys, certificates and files.
- Create a DKEK share encrypted under a password and save it to the file given as parameter.
- Read and decrypt DKEK share and import into SmartCard-HSM
- Define device pin for initialization
- Force removal of existing key, description and certificate.
- Define the token label to be used in –initialize.
- Backup a private key to an encrypted external file. (Using the DKEK).
- Restore a private key from an external encrypted file into the device, using the DKEK
You need to initialise the device see here.
sc-hsm-tool –initialize –so-pin 3537363231383830 –pin 648219 –dkek-shares 1 –label mytoken
sc-hsm-tool –create-dkek-share dkek-share-1.pbe
sc-hsm-tool –import-dkek-share dkek-share-1.pbe
The command pkcs11-tool -L gave
Available slots: Slot 0 (0x0): Nitrokey Nitrokey HSM (DENK01051600000 ) 00 00 token label : UserPIN (mytoken) token manufacturer : www.CardContact.de token model : PKCS#15 emulated token flags : login required, rng, token initialized, PIN initialized hardware version : 24.13 firmware version : 3.4 serial num : DENK0105160 pin min/max : 6/15
The token label : UserPIN (mytoken) has the name I entered in the –label option above. When using MQ and GSKIT with this device,I needed to identify device with “UserPIN (mytoken)” not just “mytoken”.
You can create a private key using
pkcs11-tool –keypairgen –key-type rsa:2048 –id 10 –label “my_key”
Using slot 0 with a present token (0x0)
Key pair generated:
Private Key Object; RSA
label: Private Key
Usage: decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
label: Private Key
Usage: encrypt, verify, wrap
You can omit the -id, and it will generate a (long) id for you. You can list the objects (in-use slots) in the device
You can delete the one we just created
pkcs11-tool -l –pin 648219 –delete-object –type privkey –id 10
You can delete -type with privkey, pubkey and cert