On Wed, Oct 28, 2020 at 9:43 AM Bruce Momjian <
bruce@momjian.us> wrote:
>
I don't know much about how to hook into that stuff so if you have an
idea, I am all ears.
Yeah, I have a reasonable idea. The main thing will be to re-read the patch and put it into more concrete terms, which I'll try to find time for soon. I need to find time to craft a proper demo that uses a virtual hsm, and can also demonstrate how to use the host TPM or a Yubikey using the simple openssl engine interfaces or a URI.
I have used OpenSSL with Yubikey via pksc11. You
can see the use of it on slide 57 and following:
https://momjian.us/main/writings/crypto_hw_config.pdf#page=57
Interestingly, that still needed the user to type in a key to unlock the
Yubikey, so we might need PKCS11 and a password for the same server
start.
Yes, that's possible. But in that case the passphrase will be asked for by openssl only when required, and we'll need to supply an openssl askpass hook.