Discussion:
[Ejbca-develop] Azure Key Vault for storing HSM backed EJBCA CA keys?
Jaime Hablutzel Egoavil
2017-05-27 06:56:05 UTC
Permalink
Hi, I would like to hear your opinion about using Azure Key Vault HSM
backed keys for running an EJBCA CA, considering that these keys can
actually be generated inside or transfered (BYOK) to a Thales nShield HSM
in Microsoft infraestructure and considering how cheap this service is ($1
per key per month + $0.03 / 10,000 operations).

Do you see any major security problem on this approach?.

What about the changes required in EJBCA to make this work connecting to
Azure Key Vault REST APIs?, are these expected to be minor changes?, does
EJBCA currently support custom implementations for CA key operations?.

For Azure Key Vault and the HSMs it uses, see
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys
.
--
Jaime Hablutzel - RPC 994690880
Jaime Hablutzel Egoavil
2017-06-28 23:14:04 UTC
Permalink
Hi everybody, nothing on this?.

In countries like Peru it seems that you can comply with the digital
signatures regulation about requiring certified HSMs by storing CA keys on
cloud HSMs like the ones offered by Azure Key Vault (i.e. as long as the
key is generated in an HSM it seems to be ok for our regulation).

Being this the case, if it would be possible to integrate EJBCA to Azure
Key Vault it would become a really low cost alternative for some startup
setups to deploy a certification authority.

On Sat, May 27, 2017 at 1:56 AM, Jaime Hablutzel Egoavil <
Post by Jaime Hablutzel Egoavil
Hi, I would like to hear your opinion about using Azure Key Vault HSM
backed keys for running an EJBCA CA, considering that these keys can
actually be generated inside or transfered (BYOK) to a Thales nShield HSM
in Microsoft infraestructure and considering how cheap this service is ($1
per key per month + $0.03 / 10,000 operations).
Do you see any major security problem on this approach?.
What about the changes required in EJBCA to make this work connecting to
Azure Key Vault REST APIs?, are these expected to be minor changes?, does
EJBCA currently support custom implementations for CA key operations?.
For Azure Key Vault and the HSMs it uses, see https://docs.microsoft.
com/en-us/azure/key-vault/key-vault-hsm-protected-keys.
--
Jaime Hablutzel - RPC 994690880
--
Jaime Hablutzel - RPC 994690880
Herman Vega
2017-06-29 02:01:31 UTC
Permalink
Hi,

Using azure key vault, is a very confortable option, because azure deploy using Thales HSM, and they provide a direct connection protocol with the HSM, and is supported native by ejbca . So is transparent to integrate.

In security , it depends on what controls do you implement , for example I don't know if in PERÚ local regulation allow to operate without fips-140 level 3 mode, mostly required for advanced digital signatures, like here en Chile. Consider keys in Thales ncipher are stored outside the fips module, are stored in database or filesystem crypted.

Regards

Enviado desde mi iPhone
Post by Jaime Hablutzel Egoavil
Hi everybody, nothing on this?.
In countries like Peru it seems that you can comply with the digital signatures regulation about requiring certified HSMs by storing CA keys on cloud HSMs like the ones offered by Azure Key Vault (i.e. as long as the key is generated in an HSM it seems to be ok for our regulation).
Being this the case, if it would be possible to integrate EJBCA to Azure Key Vault it would become a really low cost alternative for some startup setups to deploy a certification authority.
Hi, I would like to hear your opinion about using Azure Key Vault HSM backed keys for running an EJBCA CA, considering that these keys can actually be generated inside or transfered (BYOK) to a Thales nShield HSM in Microsoft infraestructure and considering how cheap this service is ($1 per key per month + $0.03 / 10,000 operations).
Do you see any major security problem on this approach?.
What about the changes required in EJBCA to make this work connecting to Azure Key Vault REST APIs?, are these expected to be minor changes?, does EJBCA currently support custom implementations for CA key operations?.
For Azure Key Vault and the HSMs it uses, see https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys.
--
Jaime Hablutzel - RPC 994690880
--
Jaime Hablutzel - RPC 994690880
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Jaime Hablutzel Egoavil
2017-06-29 21:20:07 UTC
Permalink
Thanks Herman, so you are saying that Azure Key Vault HSM provides a PKCS
#11 module to connect to their crypto services?, I've been looking for this
but I can't find anything.

Could you provide me a reference please?.

Regards.
Post by Herman Vega
Hi,
Using azure key vault, is a very confortable option, because azure deploy
using Thales HSM, and they provide a direct connection protocol with the
HSM, and is supported native by ejbca . So is transparent to integrate.
In security , it depends on what controls do you implement , for example I
don't know if in PERÚ local regulation allow to operate without fips-140
level 3 mode, mostly required for advanced digital signatures, like here en
Chile. Consider keys in Thales ncipher are stored outside the fips module,
are stored in database or filesystem crypted.
Regards
Enviado desde mi iPhone
Hi everybody, nothing on this?.
In countries like Peru it seems that you can comply with the digital
signatures regulation about requiring certified HSMs by storing CA keys on
cloud HSMs like the ones offered by Azure Key Vault (i.e. as long as the
key is generated in an HSM it seems to be ok for our regulation).
Being this the case, if it would be possible to integrate EJBCA to Azure
Key Vault it would become a really low cost alternative for some startup
setups to deploy a certification authority.
On Sat, May 27, 2017 at 1:56 AM, Jaime Hablutzel Egoavil <
Post by Jaime Hablutzel Egoavil
Hi, I would like to hear your opinion about using Azure Key Vault HSM
backed keys for running an EJBCA CA, considering that these keys can
actually be generated inside or transfered (BYOK) to a Thales nShield HSM
in Microsoft infraestructure and considering how cheap this service is ($1
per key per month + $0.03 / 10,000 operations).
Do you see any major security problem on this approach?.
What about the changes required in EJBCA to make this work connecting to
Azure Key Vault REST APIs?, are these expected to be minor changes?, does
EJBCA currently support custom implementations for CA key operations?.
For Azure Key Vault and the HSMs it uses, see https://docs.microsoft.com
/en-us/azure/key-vault/key-vault-hsm-protected-keys.
--
Jaime Hablutzel - RPC 994690880
--
Jaime Hablutzel - RPC 994690880
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Herman Vega
2017-06-30 00:53:47 UTC
Permalink
Hi! See docs, Azure key Vault use the native tools provided by Thales using nfast

https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys

https://www.ejbca.org/docs/adminguide.html#nCipher%20nShield/netHSM

Regards
Thanks Herman, so you are saying that Azure Key Vault HSM provides a PKCS #11 module to connect to their crypto services?, I've been looking for this but I can't find anything.
Could you provide me a reference please?.
Regards.
Post by Herman Vega
Hi,
Using azure key vault, is a very confortable option, because azure deploy using Thales HSM, and they provide a direct connection protocol with the HSM, and is supported native by ejbca . So is transparent to integrate.
In security , it depends on what controls do you implement , for example I don't know if in PERÚ local regulation allow to operate without fips-140 level 3 mode, mostly required for advanced digital signatures, like here en Chile. Consider keys in Thales ncipher are stored outside the fips module, are stored in database or filesystem crypted.
Regards
Enviado desde mi iPhone
Post by Jaime Hablutzel Egoavil
Hi everybody, nothing on this?.
In countries like Peru it seems that you can comply with the digital signatures regulation about requiring certified HSMs by storing CA keys on cloud HSMs like the ones offered by Azure Key Vault (i.e. as long as the key is generated in an HSM it seems to be ok for our regulation).
Being this the case, if it would be possible to integrate EJBCA to Azure Key Vault it would become a really low cost alternative for some startup setups to deploy a certification authority.
Hi, I would like to hear your opinion about using Azure Key Vault HSM backed keys for running an EJBCA CA, considering that these keys can actually be generated inside or transfered (BYOK) to a Thales nShield HSM in Microsoft infraestructure and considering how cheap this service is ($1 per key per month + $0.03 / 10,000 operations).
Do you see any major security problem on this approach?.
What about the changes required in EJBCA to make this work connecting to Azure Key Vault REST APIs?, are these expected to be minor changes?, does EJBCA currently support custom implementations for CA key operations?.
For Azure Key Vault and the HSMs it uses, see https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys.
--
Jaime Hablutzel - RPC 994690880
--
Jaime Hablutzel - RPC 994690880
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Jaime Hablutzel Egoavil
2017-06-30 01:43:58 UTC
Permalink
Indeed, Azure Key Vault uses Thales nShield HSMs as indicated in
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys
:

*Azure Key Vault uses Thales nShield* family of HSMs to protect your keys.


But they don't seem to provide a direct interface to the HSM through the
native nShield PKCS #11 module; the native tools related instructions in
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys
look
related to a BYOK scenario, not for interfacing to Azure Key Vault for
cryptographic operations.

The only interface to Azure Key Vault that I've found is their REST API,
from https://docs.microsoft.com/en-us/rest/api/keyvault/:

*Managing your key vaults* as well as the keys, secrets, and certificates
within your key vaults *can be accomplished through a REST interface*.
...
*Managing within a Key Vault includes* operations for creating, managing
and *executing cryptographic operations with keys*, secrets and
certificates within the Azure environment.
As long as I'm looking into this, the only option I think I have is to
create a custom org.cesecore.keys.token.CryptoToken implementation and
interface to Azure Key Vault through their REST API.

What do you think?.
Hi! See docs, Azure key Vault use the native tools provided by Thales
using nfast
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-
hsm-protected-keys
https://www.ejbca.org/docs/adminguide.html#nCipher%20nShield/netHSM
Regards
Thanks Herman, so you are saying that Azure Key Vault HSM provides a PKCS
#11 module to connect to their crypto services?, I've been looking for this
but I can't find anything.
Could you provide me a reference please?.
Regards.
Post by Herman Vega
Hi,
Using azure key vault, is a very confortable option, because azure
deploy using Thales HSM, and they provide a direct connection protocol
with the HSM, and is supported native by ejbca . So is transparent to
integrate.
In security , it depends on what controls do you implement , for example
I don't know if in PERÚ local regulation allow to operate without fips-140
level 3 mode, mostly required for advanced digital signatures, like here en
Chile. Consider keys in Thales ncipher are stored outside the fips module,
are stored in database or filesystem crypted.
Regards
Enviado desde mi iPhone
Hi everybody, nothing on this?.
In countries like Peru it seems that you can comply with the digital
signatures regulation about requiring certified HSMs by storing CA keys on
cloud HSMs like the ones offered by Azure Key Vault (i.e. as long as the
key is generated in an HSM it seems to be ok for our regulation).
Being this the case, if it would be possible to integrate EJBCA to Azure
Key Vault it would become a really low cost alternative for some startup
setups to deploy a certification authority.
On Sat, May 27, 2017 at 1:56 AM, Jaime Hablutzel Egoavil <
Post by Jaime Hablutzel Egoavil
Hi, I would like to hear your opinion about using Azure Key Vault HSM
backed keys for running an EJBCA CA, considering that these keys can
actually be generated inside or transfered (BYOK) to a Thales nShield HSM
in Microsoft infraestructure and considering how cheap this service is ($1
per key per month + $0.03 / 10,000 operations).
Do you see any major security problem on this approach?.
What about the changes required in EJBCA to make this work connecting to
Azure Key Vault REST APIs?, are these expected to be minor changes?, does
EJBCA currently support custom implementations for CA key operations?.
For Azure Key Vault and the HSMs it uses, see https://docs.microsoft.com
/en-us/azure/key-vault/key-vault-hsm-protected-keys.
--
Jaime Hablutzel - RPC 994690880
--
Jaime Hablutzel - RPC 994690880
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
--
Jaime Hablutzel - RPC 994690880
Tomas Gustavsson
2017-06-30 06:55:06 UTC
Permalink
Yes, please contribute an implementation of this REST API, that would be
awesome.

Regards,
Tomas


---
On June 30, 2017 3:43:58 AM GMT+02:00, Jaime Hablutzel Egoavil
<***@gmail.com> wrote:

Indeed, Azure Key Vault uses Thales nShield HSMs as indicated in
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys:

Azure Key Vault uses Thales nShield family of HSMs to protect
your keys.


But they don't seem to provide a direct interface to the HSM through
the native nShield PKCS #11 module; the native tools related
instructions in
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys
look related to a BYOK scenario, not for interfacing to Azure Key Vault
for cryptographic operations.

The only interface to Azure Key Vault that I've found is their REST
API, from https://docs.microsoft.com/en-us/rest/api/keyvault/:

Managing your key vaults as well as the keys, secrets, and
certificates within your key vaults can be accomplished through a REST
interface.
...
Managing within a Key Vault includes operations for creating,
managing and executing cryptographic operations with keys, secrets and
certificates within the Azure environment.


As long as I'm looking into this, the only option I think I have is
to create a custom org.cesecore.keys.token.CryptoToken implementation
and interface to Azure Key Vault through their REST API.

What do you think?.
Post by Jaime Hablutzel Egoavil
Thanks Herman, so you are saying that Azure Key Vault HSM provides a
PKCS #11 module to connect to their crypto services?, I've been looking
for this but I can't find anything.
Could you provide me a reference please?.
Regards.
Hi,
Using azure key vault, is a very confortable option, because azure
deploy using Thales HSM, and they provide a direct connection
protocol with the HSM, and is supported native by ejbca . So is
transparent to integrate.
In security , it depends on what controls do you implement , for
example I don't know if in PERÚ local regulation allow to operate
without fips-140 level 3 mode, mostly required for advanced digital
signatures, like here en Chile. Consider keys in Thales ncipher are
stored outside the fips module, are stored in database or filesystem
crypted.
Regards
Enviado desde mi iPhone
El 28-06-2017, a las 19:14, Jaime Hablutzel Egoavil
Post by Jaime Hablutzel Egoavil
Hi everybody, nothing on this?.
In countries like Peru it seems that you can comply with the
digital signatures regulation about requiring certified HSMs by
storing CA keys on cloud HSMs like the ones offered by Azure Key
Vault (i.e. as long as the key is generated in an HSM it seems to
be ok for our regulation).
Being this the case, if it would be possible to integrate EJBCA to
Azure Key Vault it would become a really low cost alternative for
some startup setups to deploy a certification authority.
On Sat, May 27, 2017 at 1:56 AM, Jaime Hablutzel Egoavil
Hi, I would like to hear your opinion about using Azure Key
Vault HSM backed keys for running an EJBCA CA, considering
that these keys can actually be generated inside or transfered
(BYOK) to a Thales nShield HSM in Microsoft infraestructure
and considering how cheap this service is ($1 per key per
month + $0.03 / 10,000 operations).
Do you see any major security problem on this approach?.
What about the changes required in EJBCA to make this work
connecting to Azure Key Vault REST APIs?, are these expected
to be minor changes?, does EJBCA currently support custom
implementations for CA key operations?.
For Azure Key Vault and the HSMs it uses,
see https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys
<https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys>.
--
Jaime Hablutzel - RPC 994690880
--
Jaime Hablutzel - RPC 994690880
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org <http://Slashdot.org>!
http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Loading...