|
|
|
|
|
|
by cwalv
519 days ago
|
|
|
> Complete overkill requiring the use of a YubiKey for key storage and external RNG source - what problems does solve? For a Yubikey to act as a poor man's HSM you have to store the PIN in plaintext on the disk You still can't exfiltrate the key material. > If it's to protect against physical theft of the keys, they'll just put the entire Raspberry Pi in their pocket. Just because someone has compromised your device doesn't mean they have physical access. That's the point. > They're generating the private key on disk then importing into the YubiKey. Which defeats having an external key storage device because you have left traces of the key on disk. The traces don't have to be left behind. Is this excessive 'overkill', or is the 'digital duct taping the windows and doors' insufficient? > An instance of openssl or xca covers 99.9% of "homelab" use cases The interesting thing about this article is that it adds a few 9's that are covered, and it's both easy and cheap. |
|
|
And? What actual problem does this solve or realistic threat does this prevent? They are not decryption keys they are used to digitally sign certificates.
What the DigiNotar hack taught us years ago is if your CA is compromised you are already 0wned doesn't matter if the key is stored in an HSM or not.
All they can do with a stolen key is issue more certificates. Which they can do anyway if they have root access to the CA.
You can put 12 locks on your door but if they're all keyed to the same key you've stored under the plant on the porch, it doesn't really matter.
> The interesting thing about this article is that it adds a few 9's that are covered, and it's both easy and cheap.
Hard to say if those extra 9's need an external RNG for extra entropy.